Insidious Mac malware is becoming more sophisticated

Insidious Mac malware is becoming more sophisticated

Mac malware known As UpdateAgent has been expanding for over a year, it is becoming more vicious as its developers add new ringtones and whistles. Add-ons include pushing a second-stage aggressive adware that installs a permanent backdoor on infected Macs.

The UpdateAgent malware family began circulating in November or December 2020 at the latest as a relatively basic information thief. He collected product names, version numbers and other basic information about the system. His methods of perseverance – that is, the ability to run every time the Mac starts – were also quite rudimentary.

Attack of a person in the middle

Over time, Microsoft said on Wednesday, UpdateAgent was becoming more advanced. In addition to the data sent to the attacker’s server, the app also sends “heartbeats” that let attackers know if the malware is still running. It also installs adware known as Adload.

Microsoft researchers wrote:

Once the adware is installed, it uses ad injection software and techniques to intercept the device’s network communication and redirect user traffic through the adware operator’s server, injecting ads and promotions onto websites and search results. Specifically, Adload uses the Person-in-The-Middle (PiTM) attack by installing a web proxy to hijack search engine results and insert ads on websites, thus transferring revenue from ads from official website owners to adware operators.

Adload is also an unusually persistent type of adware. It is able to open the back door to download and install other adware and useful data in addition to collecting system information that is sent to the attacker’s C2 servers. Since both UpdateAgent and Adload have the ability to install additional payloads, attackers can use one or both of these vectors to potentially deliver more dangerous threats to targeted systems in future campaigns.

Before installing the adware, UpdateAgent now removes the tag that the macOS security mechanism called Gatekeeper adds to the downloaded files. (Gatekeeper ensures that users are alerted that new software is coming from the Internet, and also ensures that the software does not respond to known types of malware.) is malware in regular development.

UpdateAgent’s reconnaissance has been extended to collect system profile data and SPHardwaretype, which, among other things, reveal the serial number of the Mac. Malicious software has also started to modify the LaunchDaemon folder instead of the LaunchAgent folder as before. Although the change requires UpdateAgent to work as an administrator, the change allows the Trojan to inject persistent code that runs as root.

The following timeline illustrates evolution.

Courtesy of Microsoft

Source link


Leave a Reply

Your email address will not be published.

Education Template