Known malware on Mac because UpdateAgent has been around for over a year and it’s getting more and more sinister as its developers add new bells and whistles. The add-ons include pushing an active second-stage adware payload that installs a persistent backdoor on infected Macs.
The UpdateAgent family of malware started circulating no later than November or December 2020 as a relatively basic information stealer. It collects the product name, version number, and other basic system information. Its persistence methods — that is, the ability to run every time Mac boots — pretty rudimentary too.
Attack the person in the middle
Overtime, Microsoft said on Wednesday, UpdateAgent has grown increasingly advanced. Besides the data sent to the attacker’s server, the application also sends a “heartbeat” to let the attackers know if malware still running. It also installs adware called Adload.
Microsoft researchers wrote:
Once the adware is installed, it uses adware and techniques to intercept the device’s online communications and redirect the user’s traffic through the software operator’s servers. advertising, placing advertisements and promotions on websites and search results. More specifically, Adload leverages a Man in the Middle (PiTM) attack by installing web proxies to hijack search engine results and inject ads into web pages, thereby extracting ad revenue from Official site owner for adware operators.
Adload is also an unusually persistent line of adware. It is capable of opening a backdoor to download and install adware and other payloads in addition to collecting system information sent to the attackers’ C2 server. Considering both UpdateAgent and Adload have the ability to install additional payloads, attackers can leverage either or both of these vectors to potentially deliver more malicious threats to target systems. in future campaigns.
Before installing the adware, UpdateAgent now removes a flag Mac OS security mechanism called Guard add downloaded files. (Gatekeeper ensures users receive a warning that new software is coming from the internet, and it also ensures it doesn’t match known malware strains.) While this malicious ability isn’t new—Mac malware from 2017 did the same thing — incorporating it into the UpdateAgent showed malware in regular development.
UpdateAgent’s scout has been expanded to collect system profile and SPhardwaretype data that, among other things, reveals the serial number of the Mac. The malware also started modifying the LaunchDaemon folder instead of the LaunchAgent folder as before. While the change requires UpdateAgent to run as administrator, the change allows the code-injecting trojan to persistently run as root.
The following timeline illustrates the development.
