HomeSecurityMac Malware Dubbed UpdateAgent Flagged, Gets Smarter With Each New Variant

Mac Malware Dubbed UpdateAgent Flagged, Gets Smarter With Each New Variant

mac laptop keyboard The Microsoft Security blog recently published a post about an old Mac malware called UpdateAgent which is evolving dangerously and getting more aggressive with every new iteration.

The latest two variants of the malware act in a much more stealthy manner as compared to earlier versions. In its newest avatar, UpdateAgent manages to sneak past Apple Gatekeeper controls which only allow trusted apps to run in MacOS.

The security team first discovered and analyzed the Trojan which is targeted at Apple Mac devices in October 2021. But the malware has actually been around since 2020. There are fears that UpdateAgent is still in the development stage and the cybercriminals behind it will continue releasing increasingly sophisticated versions of it in the future.

The aforementioned speculations are based on the fact that this Trojan started off by merely functioning as a stealer of information and then kept getting smarter over time.

September to December 2020: The malware acts as a basic information-stealer.

January to February 2021: New ability to fetch secondary payloads like mountable disk images — to distribute software and apps to macOS — from public cloud infrastructure (Amazon S3 and CloudFront services) added.

March 2021: The malware is modified to fetch ZIP files instead of DMG files, bypass Gatekeeper and start up upon launch/user sign-in on the infected device. The Trojan’s PLIST file can be added to the LaunchAgent folder.

August 2021: The new variant is found to be better at evading detection and altered so that it can create and add PLIST files to LaunchDaemon instead of LaunchAgent, thus allowing it to inject persistent code which run as root. It is also discovered to be collecting System_profile and SPHardwaretype data.

October 2021: The updated malware is seen distributing persistent Adload adware as a secondary payload in .zip or .pkg format via public cloud infrastructure. It now ensures in advance that Gatekeeper does not flag the adware which is to be downloaded onto the infected MacOS device.

Do note that UpdateAgent pretends to be legitimate software and tricks users into installing it on their system in order to gain entry. So Mac owners can probably avoid infecting their device with this malware by staying vigilant with regards the apps they load onto it.