The latest version of a Mac Trojan called UpdateAgent, aka WizardUpdate, provides fresh evidence of the growing effort that some threat actors are putting into targeting Apple technologies.
The malware, which impersonates legitimate software, such as support agents and video software, first surfaced in September 2020. It is commonly distributed via drive-by downloads or pop-ups for advertisements and fake updates for tools like the long-discontinued Adobe Flash Player. Since it first emerged, UpdateAgent's authors have constantly updated it with significant new functionality. The most recent update in October was no exception.
Researchers from Microsoft analyzed the latest variant and found it contained an expanded capability for installing secondary payloads hosted on trusted public cloud infrastructures, such as Amazon S3 and CloudFront. Instead of using either .zip files or mountable disk images (DMG files) to fetch additional payloads like it had previously, the new version of UpdateAgent now can use both file types.
With the October version, UpdateAgent's secondary payloads now also include Adload, a highly persistent Trojan for installing potentially unwanted apps and ad loaders on Macs. The malware — of which there are well over 100 unique samples — is notable for updates that always keep it one step ahead of Apple's built-in XProtect anti-malware technology and other security controls.
Microsoft's analysis showed that with the latest upgrades, the malware can leverage a user's existing profile to execute commands that typically would require higher security and admin privileges. In addition, UpdateAgent has tweaked its ability to maintain persistence on compromised systems while evading detection.
The October version of UpdateAgent/WizardUpdate is its fifth iteration. The first one in September 2020 was simple and designed to collect basic information about the device on which it was installed and to stay in touch with a remote command-and-control (C2) server. In the next few versions, the authors of the malware added features for fetching secondary payloads, maintaining persistence, and, importantly, bypassing Gatekeeper, a macOS technology for ensuring that only trusted software can run on a Mac.
In the process, the malware has evolved from a somewhat rudimentary information-stealer to what Microsoft this week described as a refined tool for distributing adware loaders and other potentially more dangerous payloads on systems running macOS.
"WizardUpdate appeared on the scene with a few surprises," says Phil Stokes, security researcher at SentinelOne, which tracks a wide range of Mac malware. "They learned early how to trick Apple into notarizing their malware, and they made clever use of AWS and other public cloud repos to try and blend C2 traffic into normal traffic."
Its authors also were notable for their somewhat intriguing choice of a very basic encryption scheme called Vigenere cipher, which normally wouldn't be deployed by anyone outside of a classroom environment, he says.
Stokes describes UpdateAgent/WizardUpdate as a relatively new player in the crowded adware/bundleware delivery platform market for Macs. Research conducted last year by Jamf showed adware continuing to be a far bigger threat to Mac users than other forms of malware. The company found that the top 10 threats directed at Mac users at the time of the study were all adware-related.
Similarly, the authors of UpdateAgent/WizardUpdate are likely selling a "pay-per-install" service to unscrupulous developers and adware installers, Stokes says.
Though there's nothing specific separating UpdateAgent from its rivals, its authors do appear determined to make an impression, he says.
"We're sure it'll be around for some time to come so long as it remains successful at infecting unprotected Mac users," Stokes says.
Malvertising Campaigns Fueling Market
Jerome Dangu, co-founder and CTO at Confiant, which provides technology for spotting and blocking unwanted ads on websites, says large-scale malicious advertising campaigns are the fuel for pay-to-install cybercrime of which malware like UpdateAgent is a part. The authors of such malware are constantly trying to stay one step ahead of Apple.
"At a high level, it's a cat-and-mouse game between Apple's hands-on approach to app security and these sophisticated attackers continuously iterating to bypass it," he says. While adware is the main motivator, there's a potential that attacks can escalate to much higher severity attacks in enterprises in future, Dangu cautions.
Two malware threats recently analyzed by SentinelOne show that some attackers are looking beyond adware when it comes to targeting Macs. One of the malware samples is a cross-platform tool called SysJoker that appears designed to serve as a remotely accessible backdoor on Mac systems. The other is called DazzleSpy; it has functions that allow it to search for and write to files, exfiltrate system and other environment information, and run remote desktop and shell commands.
"Targeted macOS malware, usually spyware, is increasingly aimed at Asian users and is increasingly part of cross-platform campaigns," Stokes says.