The new variant of the UpdateAgent malware is also capable of removing adware against macOS.
Computer security researchers at Microsoft Security Intelligence have discovered a new variant of the UpdateAgent (aka WizardUpdate) malware that targets Mac devices. UpdateAgent was initially discovered in November 2020 targeting macOS.
New variant, new capabilities, new adware
In a series of tweets, Microsoft explained that the variant is equipped with new features, including increased persistence and evasion tactics. This indicates that the malware is not only difficult to detect, but also difficult to eliminate.
Another malicious capability of the malware includes the abuse of the public cloud infrastructure to host additional payloads. For example, during an infection, UpdateAgent installs new adware called Adload.
According to the researchers, although the malware collects and sends system information to a C2 server, one of the most notable additions to the malware’s capabilities is its ability to bypass Apple’s Gatekeeper security feature. It does this by removing the quarantine attributes from the downloaded file.
The screenshot below shows the evolution of Trojan: MacOS / UpdateAgent.B (aka WizardUpdate):
Evolution of Trojan: MacOS / UpdateAgent.B (aka WizardUpdate):
FYI, Gatekeeper is the backbone of macOS security as it verifies downloaded apps and applies code signing before allowing them to run on Macbooks. This reduces the possibility of running malware.
However, as OSX / Dok malware, UpdateAgent also bypasses the Gatekeeper security feature, making it a persistent threat.
The malware also exploits existing user permissions to create folders on the affected device. It uses PlistBuddy to create and modify Plists in LaunchAgent / LaunchDeamon for persistence. It then covers its tracks by removing folders, files and other artifacts created, researchers tweeted.
UpdateAgent malware Impersonates legitimate software
The modus operandi of the new variant is to pretend to be legitimate software. As of yet, Microsoft has not disclosed precisely which software is spoofed by the malware. However, the company believes the new variant is being distributed via drive-thru downloads.
A nuisance download attack refers to the unintentional downloading of malware or malicious code by users to their computers. Simply put: software downloaded with the user’s permission without understanding the consequences (a virus mimicking game mods for example) is called a drive-through download.
How to protect your Mac devices from cyber attacks?
Most software for macOS comes with a premium charge, so it’s easy to trick unsuspecting users into downloading malware by masquerading as legitimate software. That is why it is important to refrain from downloading pirated programs or software from third party websites / marketplaces.
Nevertheless, since Mac devices are constantly subject to cyber attacks, it is essential that users master the art of protecting their devices. Here are some simple tips to follow:
- Use VPN software
- Disable remote connection
- Use two built-in firewalls
- Disable automatic user login
- Update your Mac OS X regularly
- Install reliable antivirus software for Mac
- Configure GateKeeper to prevent digitally unsigned apps
- Disable Java and automatically download in Safari browser.
Did you enjoy reading this article? Like our page on Facebook and follow us on Twitter.