macOS Malware Dubbed UpdateAgent

A new variant of macOS malware dubbed UpdateAgent has been spotted in wild with upgrade functionalities by Jamf Threat Labs researchers.

AWS is the platform that hosts the malicious payloads of the new version of the malware, UpdateAgent, and it is written in Swift.

As a result of the recent update to this malware, it is now able to implement common dropper functions and features like:-

  • Minor system fingerprinting
  • Endpoint registration
  • Persistence

Here’s what the security experts at Jamf Threat Labs stated:-

EHA

“The second stage download and execute the functionality of droppers, in general, represent a risky class of malware that support a number of second-stage attacks — from malware to spyware, to adware.”

“While the most identifiable features of the malware are that it relies on the AWS infrastructure to host its various payloads and perform its infection status updates to the server.”

Detection

A launcher for malware, the UpdateAgent has been found to have evolved into a malicious dropper since it was discovered in 2020. It is now possible to distribute adware and other second-stage payloads using the method as well as bypass the macOS Gatekeeper protection.

It was determined that each instance of this problem was caused by a program called PDFCreator. There was an unsigned executable running in the directory “/Library/Application Support”. 

While further inspection revealed that the executable was written in Swift, containing the suspicious (base64) strings that have been obfuscated.

On the system on which it is executed, this binary reaches out to the registration server and sets up persistence in order to be able to communicate with it.

Due to the fact that the newly discovered Swift-based dropper masquerades as Mach-O binary. This division is primarily due to the fact that it reaches out to a different URL from which it is supposed to load the bash script.

The bash scripts, “activedirec.sh” or “bash_qolveevgclr.sh” contain a URL to an S3 bucket where the second-stage disk image (DMG) file is downloaded and run.

Updating the UpdateAgent malware by its authors is a proactive measure taken by them to ensure it is current and active. There is no doubt that it has been built with a backend that is constructed well and can easily be updated.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.