Microsoft revealed a previously unknown Mac virus on Wednesday, claiming that it has gone through numerous versions since its first emergence in September 2020, giving it a “growing progression of complex capabilities.” The new malware type was called “UpdateAgent” by Microsoft’s 365 Defender Threat Intelligence Team, which charted its progression from a standalone information stealer to a second-stage payload distributor as part of various assault waves seen in 2021.
“The virus installed the evasive and persistent Adload adware in the most recent campaign,” the researchers stated, “but UpdateAgent’s capacity to acquire access to a device can theoretically be further leveraged to fetch other, potentially more harmful payloads.”
Even as the authors have made achievements that have changed UpdateAgent into a successively persistent piece of malware, the vigorously in-development malware is said to be spread via drive-by downloads or advertisement pop-ups that disguise as legitimate software like video applications and support agents.
The ability to secretly undertake harmful operations by abusing current user permissions and circumventing macOS Gatekeeper restrictions, a security mechanism that ensures only trustworthy programs from identified developers can be installed on a system, is one of the most significant developments. UpdateAgent has also been discovered to use public cloud infrastructure, such as Amazon S3 and CloudFront services, to host its second-stage payloads, such as adware, in the form of .DMG or .ZIP files.
Once installed, the Adload malware uses ad injection software and man-in-the-middle (MitM) methods to hijack and reroute users’ internet traffic through the attacker’s servers, allowing malicious ads to be inserted into web pages and search engine results, increasing the likelihood of multiple infections on the devices.
The researchers cautioned that “UpdateAgent is particularly defined by its gradual upgrading of persistence techniques, a significant trait that signals this trojan will likely continue to use more advanced strategies in future campaigns.”