The updated version of the macOS malware called UpdateAgent has been seen by researchers circulating in the wild recently. The latest development revealed that the operators of this malware have been improving the malware capabilities and functionalities to exploit numerous devices further.
According to the researchers, the new variant of UpdateAgent has been detected using the Amazon Web Services (AWS) to host multiple payloads and update the infection status to the threat actor’s server.
The new malware dropper is an executable based on Swift. It also spoofs Mach-O binaries such as ActiveDirectory and PDFCreator. If a target executes the malware, it will make a connection to a remote server and acquire bash script commands. The researchers identified the scripts as “activedirec[.]sh” and “bash_golveevgclr[.]sh.”
These scripts include a URL directing to Amazon S3 buckets to acquire and operate a second stage DMG file to the compromised endpoint.
UpdateAgent also used another dropper for its attacks.
In several cases, the UpdateAgent had used another dropper called ActiveDirectory which is a binary combination of a dropper by a PDFCreator. This other dropped file is identical to the PDFCreator executable, but some indications indicate it is not a duplicate of the dropper.
The primary difference between the ActiveDirectory and the PDFCreator is that the former reaches a different URL from which it is common to load a bash script.
In addition, the downloaded DMG consisted of an application, which is named within the DMG, and it appeared to be as if it was created with random words. Therefore, the application is imitated to the “/tmp” directory.
Subsequently, the newly developed application path is saved within the “$TMPFILE” variable created in the system. The malware will then change the /etc/sudoers file with a specific command to enable a primary user to run the $TMPFILE script as root without needing a password.
The operators of the UpdateAgent seem to be putting a lot of effort into upgrading their malware to keep their strain relevant. Furthermore, the malware developers are expected by experts to stay active and might attempt to target numerous users in the future.
Cybersecurity experts suggest that users should be wary of sketchy behaviours of rouge applications acquired from third-party stores or unknown sources.
