viernes, enero 27, 2023
InicioTechnologyMac malware spreading for ~14 months installs backdoor on contaminated programs

Mac malware spreading for ~14 months installs backdoor on contaminated programs


Stylized illustration a door that opens onto a wall of computer code.

Mac malware often called UpdateAgent has been spreading for greater than a 12 months, and it’s rising more and more malevolent as its builders add new bells and whistles. The additions embrace the pushing of an aggressive second-stage adware payload that installs a persistent backdoor on contaminated Macs.

The UpdateAgent malware household started circulating no later than November or December 2020 as a comparatively primary information-stealer. It collected product names, model numbers, and different primary system data. Its strategies of persistence—that’s, the power to run every time a Mac boots—had been additionally pretty rudimentary.

Particular person-in-The-Center assault

Over time, Microsoft stated on Wednesday, UpdateAgent has grown more and more superior. In addition to the info despatched to the attacker server, the app additionally sends “heartbeats” that allow attackers know if the malware continues to be operating. It additionally installs adware often called Adload.

Microsoft researchers wrote:

As soon as adware is put in, it makes use of advert injection software program and methods to intercept a tool’s on-line communications and redirect customers’ visitors by the adware operators’ servers, injecting ads and promotions into webpages and search outcomes. Extra particularly, Adload leverages a Particular person-in-The-Center (PiTM) assault by putting in an online proxy to hijack search engine outcomes and inject ads into webpages, thereby siphoning advert income from official web site holders to the adware operators.

Adload can be an unusually persistent pressure of adware. It’s able to opening a backdoor to obtain and set up different adware and payloads along with harvesting system data that’s despatched to the attackers’ C2 servers. Contemplating each UpdateAgent and Adload have the power to put in extra payloads, attackers can leverage both or each of those vectors to doubtlessly ship extra harmful threats to focus on programs in future campaigns.

Earlier than putting in the adware, UpdateAgent now removes a flag {that a} macOS safety mechanism referred to as Gatekeeper provides to downloaded recordsdata. (Gatekeeper ensures customers obtain a warning that new software program comes from the Web, and it additionally ensures the software program doesn’t match recognized malware strains.) Whereas this malicious functionality isn’t novel—Mac malware from 2017 did the identical factor—its incorporation into UpdateAgent signifies the malware is below common improvement.

UpdateAgent’s reconnaissance has been expanded to gather system profile and SPHardwaretype knowledge, which, amongst different issues, reveals a Mac’s serial quantity. The malware additionally began modifying the LaunchDaemon folder as a substitute of the LaunchAgent folder as earlier than. Whereas the change requires UpdateAgent to run as administrator, the change permits the trojan to inject persistent code that runs as root.

The next timeline illustrates the evolution.


As soon as put in, the malware collects the system data and sends it to the attackers’ management server and takes a number of different actions. The assault chain of the most recent exploit seems to be like this:


Microsoft stated UpdateAgent masquerades as official software program, reminiscent of video apps or help brokers, that’s unfold by pop-ups or advertisements on hacked or malicious web sites. Microsoft didn’t explicitly say so, however customers apparently have to be tricked into putting in UpdateAgent, and through that course of, Gatekeeper works as designed.

In some ways, the evolution of UpdateAgent is a microcosm for the macOS malware panorama as an entire: malware continues to turn out to be extra superior. Mac customers ought to learn to spot social engineering lures, reminiscent of unsolicited pop-ups showing in browser home windows that warn of infections or unpatched software program.




Por favor ingrese su comentario!
Por favor ingrese su nombre aquí