Microsoft tracking increasingly sophisticated Mac trojan that delivers adware
Microsoft's security team has detailed a relatively new piece of Mac malware that has evolved significantly to offer attackers an "increasing progression of sophisticated capabilities."
Malware illustration
The malware family, dubbed UpdateAgent by the Microsoft 365 Defender Threat Intelligence Team, first surfaced in September 2020. Since then, it has gradually progressed from a simple information extractor to a more dangerous piece of malware that can deliver other payloads.
UpdateAgent, which is actively in development by malware authors, can infect user Macs through vectors like drive-by downloads or pop-up ads. It often presents itself like a legitimate piece of software, such as a video app or a support agent.
Some of the trojan's more nefarious elements include capabilities like bypassing Apple's Gatekeeper security control or using existing permissions to delete evidence of its existence on a Mac. Back in August, it was updated with a new ability to inject persistent code that can run as root in an invisible background process.
Additionally, the malware uses public cloud infrastructure like Amazon S3 or CloudFront to deliver second-stage payloads in the form of .dmg or .zip files.
These tactics can allow it covertly carry out malicious activities, like delivering adware or other payloads. While it's currently used to deliver an "unusually persistent" adware called Adload, Microsoft says attackers could leverage UpdateAgent to deliver more potentially dangerous attacks down the road.
"UpdateAgent is uniquely characterized by its gradual upgrading of persistence techniques, a key feature that indicates this trojan will likely continue to use more sophisticated techniques in future campaigns," Microsoft said of the malware.
Although UpdateAgent was first discovered by Microsoft in October 2021, it has been in the wild since at least late 2020. Later versions of UpdateAgent display "much more refined behavior compared with earlier versions," which could suggest that future updates could be on the horizon.
UpdateAgent has one key weakness compared to other Mac threats: it requires the user to explicitly download a malicious file.
Because of that, it's recommended that you only get apps directly from trusted developers and services like the Mac App Store. Avoid clicking on links in advertisements and don't download anything from a pop-up on a website.
Read on AppleInsider
Malware illustration
The malware family, dubbed UpdateAgent by the Microsoft 365 Defender Threat Intelligence Team, first surfaced in September 2020. Since then, it has gradually progressed from a simple information extractor to a more dangerous piece of malware that can deliver other payloads.
UpdateAgent, which is actively in development by malware authors, can infect user Macs through vectors like drive-by downloads or pop-up ads. It often presents itself like a legitimate piece of software, such as a video app or a support agent.
Some of the trojan's more nefarious elements include capabilities like bypassing Apple's Gatekeeper security control or using existing permissions to delete evidence of its existence on a Mac. Back in August, it was updated with a new ability to inject persistent code that can run as root in an invisible background process.
Additionally, the malware uses public cloud infrastructure like Amazon S3 or CloudFront to deliver second-stage payloads in the form of .dmg or .zip files.
These tactics can allow it covertly carry out malicious activities, like delivering adware or other payloads. While it's currently used to deliver an "unusually persistent" adware called Adload, Microsoft says attackers could leverage UpdateAgent to deliver more potentially dangerous attacks down the road.
"UpdateAgent is uniquely characterized by its gradual upgrading of persistence techniques, a key feature that indicates this trojan will likely continue to use more sophisticated techniques in future campaigns," Microsoft said of the malware.
Although UpdateAgent was first discovered by Microsoft in October 2021, it has been in the wild since at least late 2020. Later versions of UpdateAgent display "much more refined behavior compared with earlier versions," which could suggest that future updates could be on the horizon.
What's at risk, and how to protect yourself
Microsoft did not disclose if there were any specific versions of macOS vulnerable to the malware. Because it is still being actively developed, it's better to assume that your Mac is vulnerable to the malware than not.UpdateAgent has one key weakness compared to other Mac threats: it requires the user to explicitly download a malicious file.
Because of that, it's recommended that you only get apps directly from trusted developers and services like the Mac App Store. Avoid clicking on links in advertisements and don't download anything from a pop-up on a website.
Read on AppleInsider
Comments
“Because of that, it's recommended that you only get apps directly from trusted developers and services like the Mac App Store. Avoid clicking on links in advertisements and don't download anything from a pop-up on a website.”
This is why many of us don’t want side-loading. Why is Congress trying to open up iOS instead of allowing Apple to try to make it as secure as possible?
I still get the “You need to update to the latest version fo Flash Player to view this content" once in a while. And the dumb asses of the world go right ahead and click.
Stop it. This has NOTHING to do with loading software onto your iPhone from any source of your own choosing.
Secondly, iOS and iPadOS are different from macOS in the sense that even when side-loading is allowed, it runs in a secure container that never reaches the kernel or other foundational parts of the OS that a trojan can tie to / hide in. macOS works much more like a traditional operating system in that sense, which is beneficial for use-cases that do not apply to iOS and iPadOS. Only when iOS/iPadOS have bugs, an iOS/iPadOS trojan could actually be a thing, either side-loaded or coming from the App Store undetected.