Microsoft tracking increasingly sophisticated Mac trojan that delivers adware

Posted:
in macOS
Microsoft's security team has detailed a relatively new piece of Mac malware that has evolved significantly to offer attackers an "increasing progression of sophisticated capabilities."

Malware illustration
Malware illustration


The malware family, dubbed UpdateAgent by the Microsoft 365 Defender Threat Intelligence Team, first surfaced in September 2020. Since then, it has gradually progressed from a simple information extractor to a more dangerous piece of malware that can deliver other payloads.

UpdateAgent, which is actively in development by malware authors, can infect user Macs through vectors like drive-by downloads or pop-up ads. It often presents itself like a legitimate piece of software, such as a video app or a support agent.

Some of the trojan's more nefarious elements include capabilities like bypassing Apple's Gatekeeper security control or using existing permissions to delete evidence of its existence on a Mac. Back in August, it was updated with a new ability to inject persistent code that can run as root in an invisible background process.

Additionally, the malware uses public cloud infrastructure like Amazon S3 or CloudFront to deliver second-stage payloads in the form of .dmg or .zip files.

These tactics can allow it covertly carry out malicious activities, like delivering adware or other payloads. While it's currently used to deliver an "unusually persistent" adware called Adload, Microsoft says attackers could leverage UpdateAgent to deliver more potentially dangerous attacks down the road.

"UpdateAgent is uniquely characterized by its gradual upgrading of persistence techniques, a key feature that indicates this trojan will likely continue to use more sophisticated techniques in future campaigns," Microsoft said of the malware.

Although UpdateAgent was first discovered by Microsoft in October 2021, it has been in the wild since at least late 2020. Later versions of UpdateAgent display "much more refined behavior compared with earlier versions," which could suggest that future updates could be on the horizon.

What's at risk, and how to protect yourself

Microsoft did not disclose if there were any specific versions of macOS vulnerable to the malware. Because it is still being actively developed, it's better to assume that your Mac is vulnerable to the malware than not.

UpdateAgent has one key weakness compared to other Mac threats: it requires the user to explicitly download a malicious file.

Because of that, it's recommended that you only get apps directly from trusted developers and services like the Mac App Store. Avoid clicking on links in advertisements and don't download anything from a pop-up on a website.

Read on AppleInsider
«1

Comments

  • Reply 1 of 24
    rob53rob53 Posts: 3,272member
    Interesting article considering Congress is trying to force side-loading. Here’s the ringer—

    “Because of that, it's recommended that you only get apps directly from trusted developers and services like the Mac App Store. Avoid clicking on links in advertisements and don't download anything from a pop-up on a website.”

    This is why many of us don’t want side-loading. Why is Congress trying to open up iOS instead of allowing Apple to try to make it as secure as possible?
    lkruppwilliamlondonBeatsbaconstangaderutterAndy.Hardwakebadmonkgenovellesphericjony0
  • Reply 2 of 24
    I personally only use the App Store... but if it should happen to someone... would Malwarebytes Anti-Malware software be able to fix the problem?
    lkruppwatto_cobra
  • Reply 3 of 24
    rob53rob53 Posts: 3,272member
    stevenoz said:
    I personally only use the App Store... but if it should happen to someone... would Malwarebytes Anti-Malware software be able to fix the problem?
    Hopefully detect and block it before it does damage but not sure if it’s on their list. 
    watto_cobra
  • Reply 4 of 24
    lkrupplkrupp Posts: 10,557member
    Magic word is ‘trojan”. Stupid people click on this shit and then march over to the Apple Discussion Forums demanding Apple fix it... RIGHT NOW!

    I still get the “You need to update to the latest version fo Flash Player to view this content" once in a while. And the dumb asses of the world go right ahead and click.
    williamlondonmacplusplusBeatsbaconstangfahlmanjony0watto_cobra
  • Reply 5 of 24
    lkrupplkrupp Posts: 10,557member
    Does this article mean to imply that Apple is unaware of this and is not tracking it? Seems so. Only Microsoft cares about Apple users, not Apple?
    williamlondonmacplusplusjony0watto_cobra
  • Reply 6 of 24
    lkrupp said:
    Does this article mean to imply that Apple is unaware of this and is not tracking it? Seems so. Only Microsoft cares about Apple users, not Apple?
    No.
    beowulfschmidtsphericwatto_cobragephyrophobia
  • Reply 7 of 24
    Let us see..... Turn off WiFi, shut down bluetooth and turn off cell data. Now perhaps the iPhone and or iPad is secure.....????
    watto_cobra
  • Reply 8 of 24
    darkvaderdarkvader Posts: 1,146member
    rob53 said:
    Interesting article considering Congress is trying to force side-loading. Here’s the ringer—

    “Because of that, it's recommended that you only get apps directly from trusted developers and services like the Mac App Store. Avoid clicking on links in advertisements and don't download anything from a pop-up on a website.”

    This is why many of us don’t want side-loading. Why is Congress trying to open up iOS instead of allowing Apple to try to make it as secure as possible?

    Stop it.  This has NOTHING to do with loading software onto your iPhone from any source of your own choosing. 
    williamlondon
  • Reply 9 of 24
    rob53rob53 Posts: 3,272member
    darkvader said:
    rob53 said:
    Interesting article considering Congress is trying to force side-loading. Here’s the ringer—

    “Because of that, it's recommended that you only get apps directly from trusted developers and services like the Mac App Store. Avoid clicking on links in advertisements and don't download anything from a pop-up on a website.”

    This is why many of us don’t want side-loading. Why is Congress trying to open up iOS instead of allowing Apple to try to make it as secure as possible?

    Stop it.  This has NOTHING to do with loading software onto your iPhone from any source of your own choosing. 
    Actually it does because side loading would make it easier to install malware without any problem. There would be no controls stopping it. You know I’m right. 
    williamlondonBeatsaderutterfahlmanjony0watto_cobra
  • Reply 10 of 24
    rob53 said:
    Actually it does because side loading would make it easier to install malware without any problem. There would be no controls stopping it. You know I’m right. 
    You are right. It is the cost of freedom. So iOS is an excellent choice for those who do not wish to pay that cost, as are other closed ecosystems such as gaming consoles. (Or at least XBox, Nintendo and PlayStation. On the upcoming Steam Deck, that will be a Linux system so you will be able to do anything with it that you want.)
    fahlmanjony0watto_cobra
  • Reply 11 of 24
    sflocalsflocal Posts: 6,110member
    rob53 said:
    Interesting article considering Congress is trying to force side-loading. Here’s the ringer—

    “Because of that, it's recommended that you only get apps directly from trusted developers and services like the Mac App Store. Avoid clicking on links in advertisements and don't download anything from a pop-up on a website.”

    This is why many of us don’t want side-loading. Why is Congress trying to open up iOS instead of allowing Apple to try to make it as secure as possible?
    I remember in the earlier years of the iPhone, how the media would pump out article after article about iPhones being hacked and information stolen, only to read at the very bottom of the article in fine print that the vulnerability only existed on jailbroken iPhones.  

    Yeah, if somehow the government succeeds in forcing Apple to open up its proprietary product to 3rd party companies, I see this happening more and more.
    rob53jony0watto_cobra
  • Reply 12 of 24
    rob53 said:
    Interesting article considering Congress is trying to force side-loading. Here’s the ringer—

    “Because of that, it's recommended that you only get apps directly from trusted developers and services like the Mac App Store. Avoid clicking on links in advertisements and don't download anything from a pop-up on a website.”

    This is why many of us don’t want side-loading. Why is Congress trying to open up iOS instead of allowing Apple to try to make it as secure as possible?
    Congress is like side “loader”….the best in spending my hard earned tax money specially their salaries. Not surprised here
    fahlmanwatto_cobra
  • Reply 13 of 24
    baconstangbaconstang Posts: 1,127member
    Just for clarity, this is about macOS, not iOS, correct?
    sphericwatto_cobra
  • Reply 14 of 24
    rob53 said:
    Interesting article considering Congress is trying to force side-loading. Here’s the ringer—

    “Because of that, it's recommended that you only get apps directly from trusted developers and services like the Mac App Store. Avoid clicking on links in advertisements and don't download anything from a pop-up on a website.”

    This is why many of us don’t want side-loading. Why is Congress trying to open up iOS instead of allowing Apple to try to make it as secure as possible?
    This is the current situation on Windows, with all the possible nightmares that come with it. Congress isn't busy with security of course, that is Apple's, and Microsoft's problem, as it should be. There is no reason why side-loading cannot be secure.
    williamlondon
  • Reply 15 of 24
    rob53 said:
    Interesting article considering Congress is trying to force side-loading. Here’s the ringer—

    “Because of that, it's recommended that you only get apps directly from trusted developers and services like the Mac App Store. Avoid clicking on links in advertisements and don't download anything from a pop-up on a website.”

    This is why many of us don’t want side-loading. Why is Congress trying to open up iOS instead of allowing Apple to try to make it as secure as possible?
    Because the App Store would still be available when side-loading is allowed. It is the choice of the end-user where to source apps from.

    Secondly, iOS and iPadOS are different from macOS in the sense that even when side-loading is allowed, it runs in a secure container that never reaches the kernel or other foundational parts of the OS that a trojan can tie to / hide in. macOS works much more like a traditional operating system in that sense, which is beneficial for use-cases that do not apply to iOS and iPadOS. Only when iOS/iPadOS have bugs, an iOS/iPadOS trojan could actually be a thing, either side-loaded or coming from the App Store undetected.
    williamlondon
  • Reply 16 of 24
    lkrupplkrupp Posts: 10,557member
    ApplePoor said:
    Let us see..... Turn off WiFi, shut down bluetooth and turn off cell data. Now perhaps the iPhone and or iPad is secure.....????
    You don’t need to do any of that. You simply need to not be stupid and click on flakey links. In other words, use common sense. You can do that, right?
    watto_cobra
  • Reply 17 of 24
    Sarcasm is often used to illustrate why some ideas have no usefulness in the scheme of things.
    watto_cobra
  • Reply 18 of 24
    rob53rob53 Posts: 3,272member
    Just for clarity, this is about macOS, not iOS, correct?
    Yes it is. I diverted before anyone else commented, noticing how AI presents similar articles with different results. Both OSes have the same issues when dealing with potential malware. 
    watto_cobra
  • Reply 19 of 24
    mcdavemcdave Posts: 1,927member
    Google Chrome?
  • Reply 20 of 24
    mcdavemcdave Posts: 1,927member
    rob53 said:
    Actually it does because side loading would make it easier to install malware without any problem. There would be no controls stopping it. You know I’m right. 
    You are right. It is the cost of freedom. So iOS is an excellent choice for those who do not wish to pay that cost, as are other closed ecosystems such as gaming consoles. (Or at least XBox, Nintendo and PlayStation. On the upcoming Steam Deck, that will be a Linux system so you will be able to do anything with it that you want.)
    😄 Yeah right! Freedom to do whatever developers allow you to do! Choice isn’t freedom, wake up.
Sign In or Register to comment.