A new variant of the macOS malware tracked as UpdateAgent
has been spotted in the wild, indicating ongoing attempts on the
part of its authors to upgrade its functionalities.
“Perhaps one of the most identifiable features of the malware is
that it relies on the AWS infrastructure to host its various
payloads and perform its infection status updates to the server,”
researchers from Jamf Threat Labs said[1]
in a report.
UpdateAgent, first detected in late 2020, has since evolved[2]
into a malware dropper, facilitating the distribution of
second-stage payloads such as adware while also bypassing macOS
Gatekeeper[3]
protections.
The newly discovered Swift-based dropper masquerades as Mach-O
binaries named “PDFCreator[4]” and “ActiveDirectory[5]” that, upon execution,
establish a connection to a remote server and retrieve a bash
script to be executed.
“The primary difference [between the two executables] is that it
reaches out to a different URL from which it should load a bash
script,” the researchers noted.
These bash scripts, named “activedirec.sh[6]” or “bash_qolveevgclr.sh[7]“, include a URL pointing
to Amazon S3 buckets to download and run a second-stage disk image
(DMG) file to the compromised endpoint.
“The continued development of this malware shows that its
authors continue to remain active, trying to reach as many users as
possible,” the researchers said.
References
- ^
said
(www.jamf.com) - ^
evolved
(thehackernews.com) - ^
Gatekeeper
(support.apple.com) - ^
PDFCreator
(www.virustotal.com) - ^
ActiveDirectory
(www.virustotal.com) - ^
activedirec.sh
(www.virustotal.com) - ^
bash_qolveevgclr.sh
(www.virustotal.com)
Read more https://thehackernews.com/2022/05/updateagent-returns-with-new-macos.html