Microsoft Security Intelligence have discovered a new variant of  UpdateAgent malware targeting Mac devices.

Microsoft explained that the variant is equipped with new capabilities including increased persistence and evasion tactics. It’s hard to trace and difficult to wipe off. It abuses public cloud infrastructure to host additional payloads like Adloads

The malware collects and sends system information to a C2 server, one of the most notable additions to the malware’s capabilities is its ability to bypass Apple’s Gatekeeper security feature. It does so by removing the downloaded file’s quarantine attributes.

UpdateAgent malware variant impersonates legitimate macOS software

Gatekeeper is the backbone of macOS’ security as it verifies downloaded applications and enforces code signing before allowing them to run on Macbooks. This reduces the possibility of malware execution.

The malware also leverages existing user permissions to create folders on the affected device. It uses PlistBuddy to create and modify Plists in LaunchAgent/LaunchDeamon for persistence. It then covers its tracks by deleting created folders, files, and other artifacts.

Advertisements

The new variant involves impersonating legitimate software. Microsoft did not reveal precisely which software are being impersonated by the malware. However, the company believes that the new variant is being distributed via drive-by downloads.

New variant of UpdateAgent Mac malware

Most software for macOS are paid therefore it is easy to lure unsuspecting users into downloading malicious software by impersonating legitimate ones. That is why it is important to refrain from downloading pirated programs or software from third-party websites/marketplaces.