Microsoft Security Intelligence researchers have found a new variant of UpdateAgent (aka WizardUpdate) which attacks Mac devices. The spyware, which was discovered in November 2020, may also install adware on macOS. According to the business, the new variation includes a variety of additional features that make it extremely challenging to identify and remove owing to greater persistence and escape methods.
The virus may also exploit public cloud infrastructure to serve new payloads, which is another harmful capability. For example, when UpdateAgent is infected, it downloads additional adware known as Adload.
“We recently discovered the latest variant of a Mac malware tracked as UpdateAgent (aka WizardUpdate) with new persistence and evasion tactics, the latest in a series of upgrades over the past year. Given its history, this Trojan will likely continue to grow in sophistication,” Microsoft tweeted.
An additional feature of the virus is the ability to host multiple payloads on public cloud infrastructure. Adload is new adware that UpdateAgent installs as part of the extra malware.
The virus can gather computer information and transfer it to a command and control site. Notably, it is capable of circumventing Apple's Gatekeeper security function. It accomplishes this by removing the quarantine properties from the downloaded file.
The core of macOS security is Gatekeeper; it prevents harmful apps from being installed by requiring code signing. UpdateAgent, like OSX/Dok malware, can easily circumvent Gatekeeper security, making it a persistent danger.
Furthermore, PlistBuddy is used by cybercriminals to establish persistence. Malware often attempts to destroy produced directories, files, and other artifacts to hide its tracks. PlistBuddy is a built-in Mac software that allows users to edit.plist files.
“The malware also leverages existing user permissions to create folders on the affected device. It uses PlistBuddy to create and modify Plists in LaunchAgent/LaunchDeamon for persistence. It then covers its tracks by deleting created folders, files, and other artifacts,” researchers tweeted.
The new edition impersonates legal software as well; nevertheless, Microsoft did not specify whose software is being impersonated. The virus is suspected to be propagated via drive-by downloads.