What is UpdateAgent Malware?
UpdateAgent malware tricks its victims into imitating legitimate software, such as support agents or video games, and spreads it through infected or malicious websites.
It can use the capabilities of the Mac device. UpdateAgent malware can bypass gatekeeper controls, a security feature that ensures that only trusted applications are installed. It can abuse existing user permissions to perform malicious activities and then remove evidence. This trojan also uses CloudFront and amazon S3 public cloud infrastructure to host additional payloads.
Harms of UpdateAgent Malware
The UpdateAgent malware is smarter and more dangerous, and can now bypass apple’s gatekeeper controls designed to ensure that only trusted apps run on Mac devices, Microsoft said.
- The UpdateAgent malware can use existing user permissions to covertly perform malicious actions before removing evidence to cover its tracks.
- UpdateAgent malware also abuses public cloud infrastructure, especially Amazon S3 and CloudFront, to host its additional load.
- Once the malware is installed, it uses ad-injection software and techniques to stop the device’s online communications and redirect user traffic through the adware operator’s servers, injecting advertisements and promotions into web pages and search results.
- The UpdateAgent can open backdoors to download and install additional adware and payloads, as well as collect system information sent to attackers.
- UpdateAgent is capable of installing additional payloads, and attackers can use one or both of these vectors to potentially deliver more dangerous threats to target systems in future campaigns.
Recent News of UpdateAgent Malware
MacOS malware dubbed UpdateAgent has been around for nearly 14 months. It started circulating in November or December 2020 as a thief of basic information.
Microsoft on Wednesday shed light on a previously undocumented Mac trojan that has gone through several repetitions since its first appearance in September 2020, effectively giving it “a growing development of complex capabilities.”
The company’s Microsoft 365 Defender Threat Intelligence team has named the new malware family “UpdateAgent Malware,” following its path from simple information stealer to layer 2 payload distributor in attack waves seen in 2021.
Extracting Dangerous Payloads
Update agent’s ability to access the device could theoretically be exploited to extract other dangerous payloads,” the researchers said. Malware in development is distributed via disk-loading or pop-ups as legitimate software such as video apps and support agents, although the authors have made continuous improvements that have made the updated agent an increasingly resilient piece of malware.
Manipulation of User Permissions
Key enhancements include the ability to abuse existing user permissions to perform malicious actions stealthily and bypass macOS Gatekeeper controls, a security feature that ensures that only trusted apps from identified developers can be installed on the system.
UpdateAgent malware is uniquely characterized by incremental updating of saving methods, which is a key feature that indicates that this trojan is likely to continue to use more sophisticated methods in future campaigns,” the researchers warn.
However, UpdateAgent malware is getting more malicious every day as its developers keep updating it. The malware now has features that include impacting an aggressive second-level adware payload, which installs a permanent backdoor.
Insertion of Malicious Promotions and Advertisements
- Adware injects promotions and advertisements into search results and web pages. It also uses a man-in-the-middle attack through a web agent. This allows attackers to steal ad revenue from official website owners. In addition to sending data to the attacker’s server, it also sends a “heartbeat” to inform the attacker that the malware is still running.
- During the reconnaissance phase, the updated agent is collecting SPHardwaretype and system profile data that reveals the serial number of the victim’s system.
Because today’s work environments are constantly dependent on many different devices and operating systems. Organizations need to implement security solutions that protect all platforms. Malware developers have turned a simple informational stealer into complex and persistent malware that has become aggressive.