Microsoft Says Mac Trojan Is Getting Stealthier, More Threatening

Microsoft malware hunters are drawing attention to a nasty macOS malware family that has quickly evolved from a basic information-gathering Trojan to a stealthy backdoor with more powerful capabilities.

The macOS malware family, called UpdateAgentwhich first appeared just over a year ago with rudimentary infection and data-stealing capabilities, but researchers have spotted signs that the malware is becoming a toolkit full-fledged espionage.

At first, around November 2020, Microsoft first observed the macOS threat being used for reconnaissance with basic functions to collect product names, software versions, and other system information.

In January 2021, a newer version added capabilities to fetch secondary payloads from public clouds and a few months later Microsoft noticed stealthy bypasses of Apple’s security controls, two worrying signs that the gang behind the malware continues to invest heavily to reach victims on Apple. flagship desktop platform.

[ READ: Apple Ships Urgent Patch for FORCEDENTRY Zero-Days ]

During the second half of 2021, the malware became even more powerful, collecting more data from the target system and adding backdoor-like functionality to execute additional commands. Microsoft even later found evidence that the malware included the ability to modify the sudoer list, allowing it to bypass a prompt requiring elevated user credentials when running the downloaded application. of UpdateAgent.

“The latest campaign saw the malware install the evasive and persistent Adload adware, but UpdateAgent’s ability to gain access to a device can theoretically be further exploited to fetch other potentially more dangerous payloads,” Microsoft said in a report documenting the UpdateAgent malware family.

The malware, which is currently used to siphon off money from malicious online advertising, has also been observed bypassing Apple’s Gatekeeper security technology and taking advantage of existing user permissions to stealthily perform malicious activities before suppress evidence to cover his tracks.

[ READ: Microsoft Disables MSIX Protocol Due to Abuse by Malware ]

“UpdateAgent lures its victims by masquerading as legitimate software and can take advantage of the features of the Mac device to its advantage. Gatekeeper controls, which are designed to ensure that only trusted apps work on Mac devices,” Microsoft said.

The company also released technical evidence showing that UpdateAgent is misusing public cloud infrastructure – Amazon S3 and CloudFront services – to host additional payloads.

Redmond shared its findings with Amazon, the malicious URLs have since been removed.

“UpdateAgent is uniquely characterized by its gradual upgrading of persistence techniques, a key characteristic that indicates this Trojan will likely continue to use more sophisticated techniques in future campaigns,” Microsoft warned, noting that the Trojan is probably distributed via pop-up downloads or advertisements. pop-ups that pose as legitimate software applications.

“This action of impersonating legitimate software or bundling with legitimate software increases the likelihood that users will be tricked into installing the malware. Once installed, UpdateAgent begins to collect system information which is then sent to its command and control server (C2).

Related: Apple is shipping an urgent patch for FORCEDENTRY Zero-Days

Related: Microsoft Draws Attention to Windows “Wormable” Flaw

Related: Apple Patches “Actively Exploited” Mac, iOS Security Flaw

views counter

Ryan Naraine is editor of SecurityWeek and host of the popular Security Conversations podcast series. He is a journalist and cybersecurity strategist with more than 20 years of experience in the field of computer security and technology trends. Ryan has implemented security engagement programs for major global brands including Intel Corp., Bishop Fox and Kaspersky GReAT. He is co-founder of Threatpost and the SAS Global Conference Series. Ryan’s career as a journalist includes signings to major technology publications including Ziff Davis eWEEK, CBS Interactive’s ZDNet, PCMag and PC World. Ryan is a director of the non-profit organization Security Tinkerers and a regular speaker at security conferences around the world.
Follow Ryan on Twitter @ryanaraine.

Previous columns by Ryan Naraine:

Comments are closed.