Until very recently, there has been a common myth that Mac’s are immune to viruses. This, unfortunately, is not the case. It has been found that ‘UpdateAgent,’ a Mac malware, instals an adware backdoor that can be used to install additional viruses.
This relatively recent piece of Mac malware started off taking system information in late 2020. It has evolved into a tool for delivering adware and probably other threats, which has now been disclosed by Microsoft.
The ability to bypass Apple’s built-in Gatekeeper system, which is designed to enable only trusted, signed software to function on Macs, is one of UpdateAgent’s newest and most powerful features.
The new malware family was called “UpdateAgent” by Microsoft’s 365 Defender Threat Intelligence Team, which charted its progression from a barebones information stealer to a second-stage payload distributor as part of various threat waves seen in 2021.
The virus installed the evasive and persistent Adload adware in the most recent campaign, the researchers stated, but UpdateAgent’s capacity to acquire access to a device can theoretically be further leveraged to fetch other, potentially more harmful payloads.
Even as the authors have made steady improvements that have transformed UpdateAgent into a progressively persistent piece of malware, the actively in-development malware is said to be spread via drive-by downloads or advertisement pop-ups that masquerade as legitimate software like video applications and support agents.
The ability to secretly undertake malicious operations by abusing current user permissions and circumventing macOS Gatekeeper restrictions, a security mechanism that ensures only trustworthy programmes from identified developers can be installed on a system, is one of the most significant developments.
UpdateAgent has also been discovered to use public cloud infrastructures, such as Amazon S3 and CloudFront services, to host its second-stage payloads, such as adware, in the form of.DMG or.ZIP files.
Once installed, the Adload malware uses ad injection software and man-in-the-middle (MitM) techniques to intercept and reroute users’ internet traffic through the attacker’s servers, allowing rogue ads to be inserted into web pages and search engine results, increasing the likelihood of multiple infections on the devices.
UpdateAgent is distinguished by its continual upgrade of persistence techniques, a significant aspect that suggests the trojan would likely utilise more complex strategies in future campaigns, according to the researchers.
Microsoft’s Progression of UpdateAgent
UpdateAgent is uniquely characterized by its gradual upgrading of persistence techniques, a key feature that indicates this trojan will likely continue to use more sophisticated techniques in future campaigns. Like many information-stealers found on other platforms, the malware attempts to infiltrate macOS machines to steal data and it is associated with other types of malicious payloads, increasing the chances of multiple infections on a device.
The trojan is likely distributed via drive-by downloads or advertisement pop-ups, which impersonate legitimate software such as video applications and support agents. This action of impersonating or bundling itself with legitimate software increases the likelihood that users are tricked into installing the malware. Once installed, UpdateAgent starts to collect system information that is then sent to its command-and-control (C2) server.
Notably, the malware’s developer has periodically updated the trojan over the last year to improve upon its initial functions and add new capabilities to the trojan’s toolbox. The timeline below illustrates a series of techniques adopted by UpdateAgent from September 2020 through October 2021:
- September–December 2020: The initial version of UpdateAgent was considered to be a fairly basic information-stealer. At the time, the malware was only capable of performing reconnaissance to scan and collect system information such as product names and versions. Once gathered, the data was then sent as heartbeats to the malware’s C2 server.
- January–February 2021: Approximately two months later, UpdateAgent maintained its original capabilities and added a new one: the ability to fetch secondary payloads as .dmg files from public cloud infrastructure. DMG files are mountable disk images used to distribute software and apps to macOS, allowing the trojan to easily install additional programs on affected devices.
- March 2021: Upon its third update, the malware altered one of its prior functions to fetch secondary payloads as .zip files instead of .dmg files. The malware’s developer also included two new capabilities: the ability to bypass Gatekeeper by removing the downloaded file’s quarantine attribute and the ability to create a PLIST file that is added to the LaunchAgent folder. The quarantine attribute forces Gatekeeper to block the launch of any file downloaded from the web or other unknown sources, and it also displays a pop-up warning that users cannot open the respective file as “it is from an unidentified developer”. By removing the attribute, the malware both prevented the pop-up message warning users and allowed the files to launch without being blocked by Gatekeeper. Moreover, as the LaunchAgent folder specifies which apps and code automatically run each time a user signs into the machine, adding the malware’s PLIST file allowed it to be included in these automatic launches for persistence upon users signing into the affected device.
- August 2021: The malware’s fourth update further altered some of its prior capabilities. For one, it expanded its reconnaissance function to scan and collect System_profile and SPHardwaretype information. Additionally, UpdateAgent was changed to create and add PLIST files to the LaunchDaemon folder instead of the LaunchAgent folder. While targeting the LaunchDaemon folder instead of the LaunchAgent folder required administrative privileges, it permitted the malware to inject persistent code that ran as root. This code generally takes the form of background processes that don’t interact with users, thus it also improved the trojan’s evasiveness.
- October 2021: We detected the latest variants of UpdateAgent just over a year since its release into the wild. Sporting many of the updates found in the August 2021 variant, UpdateAgent still performed system reconnaissance, communicated with the C2 server as heartbeats, and bypassed Gatekeeper. Additionally, the October update expanded the malware’s ability to fetch secondary payloads as both .dmg or .zip files from public cloud infrastructure, rather than choosing between filetypes. Among its new capabilities, UpdateAgent included the ability to enumerate LSQuarantineDataURLString using SQLite in order to validate whether the malware’s downloaded app is within the Quarantine Events database where it would be assigned a quarantine attribute. The upgrade also allowed the malware to leverage existing user profiles to run commands requiring sudo access in addition to the ability to add arguments using PlistBuddy to create and edit PLIST files more easily. Lastly, the trojan included the ability to modify sudoers list, allowing the malware to bypass a prompt requiring high privilege user credentials while running UpdateAgent’s downloaded app.
Microsoft’s blog post has additional information. The company says its Defender Antivirus can detect UpdateAgent.