{"id":18132,"date":"2022-02-02T11:04:25","date_gmt":"2022-02-02T19:04:25","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2022\/02\/02\/news-11865\/"},"modified":"2022-02-02T11:04:25","modified_gmt":"2022-02-02T19:04:25","slug":"news-11865","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2022\/02\/02\/news-11865\/","title":{"rendered":"The evolution of a Mac trojan: UpdateAgent\u2019s progression"},"content":{"rendered":"<p><strong>Credit to Author: Microsoft 365 Defender Threat Intelligence Team| Date: Wed, 02 Feb 2022 17:00:00 +0000<\/strong><\/p>\n<p>Our discovery and analysis of a sophisticated Mac trojan in October exposed a year-long evolution of a malware family\u2014and depicts the rising complexity of threats across platforms. The trojan, tracked as UpdateAgent, started as a relatively basic information-stealer but was observed distributing secondary payloads in the latest campaign, a capability that it added in one of its multiple iterations. Reminiscent of the progression of info-stealing trojans in other platforms, UpdateAgent may similarly become a vector for other threats to infiltrate target systems.<\/p>\n<p>Since its first appearance in September 2020, the malware displayed an increasing progression of sophisticated capabilities, and while the latest two variants were sporting much more refined behavior compared with earlier versions, they show signs that the malware is still in the development stage and more updates are likely to come. The latest campaign saw the malware installing the evasive and persistent Adload adware, but UpdateAgent\u2019s ability to gain access to a device can theoretically be further leveraged to fetch other, potentially more dangerous payloads.<\/p>\n<p>UpdateAgent lures its victims by impersonating legitimate software and can leverage Mac device functionalities to its benefit. One of the most advanced techniques found in UpdateAgent\u2019s latest toolbox is bypassing Gatekeeper controls, which are designed to ensure only trusted apps run on Mac devices. The trojan can leverage existing user permissions to quietly perform malicious activities before deleting the evidence to cover its tracks. UpdateAgent also misuses public cloud infrastructure, namely Amazon S3 and CloudFront services, to host its additional payloads. We shared our findings with the team at Amazon Web Services, and they have taken down the malicious URLs\u2013another example of how intelligence sharing and collaboration results in better security for the broader community.<\/p>\n<p>Threats like UpdateAgent are proof that, as environments continue to rely on a diverse range of devices and operating systems, organizations need security solutions that can provide protection across platforms and a complete picture of their security posture. <a href=\"https:\/\/www.microsoft.com\/security\/business\/threat-protection\/endpoint-defender\">Microsoft Defender for Endpoint<\/a> delivers and coordinates threat defense across all major OS platforms including Windows, macOS, Linux, Android and iOS. On macOS devices, Microsoft Defender for Endpoint detects and exposes threats and vulnerabilities through its antivirus, endpoint detection and response (EDR), and threat and vulnerability management capabilities.<\/p>\n<p>In this blog post, we share the evolving development of the UpdateAgent trojan targeting Mac users and detail the malware\u2019s recent campaign to compromise devices, steal sensitive information, and distribute adware as a secondary payload.<\/p>\n<h2>Progression of UpdateAgent<\/h2>\n<p>UpdateAgent is uniquely characterized by its gradual upgrading of persistence techniques, a key feature that indicates this trojan will likely continue to use more sophisticated techniques in future campaigns. Like many information-stealers found on other platforms, the malware attempts to infiltrate macOS machines to steal data and it is associated with other types of malicious payloads, increasing the chances of multiple infections on a device.<\/p>\n<p>The trojan is likely distributed via drive-by downloads or advertisement pop-ups, which impersonate legitimate software such as video applications and support agents. This action of impersonating or bundling itself with legitimate software increases the likelihood that users are tricked into installing the malware. Once installed, UpdateAgent starts to collect system information that is then sent to its command-and-control (C2) server.<\/p>\n<p>Notably, the malware\u2019s developer has periodically updated the trojan over the last year to improve upon its initial functions and add new capabilities to the trojan\u2019s toolbox. The timeline below illustrates a series of techniques adopted by UpdateAgent from September 2020 through October 2021:<\/p>\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"1024\" height=\"593\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/02\/UpdateAgent-Timeline-1024x593.png\" alt=\"A timeline detailing UpdateAgent's evolution between September 2020 and October 2021 and the techniques the trojan adopted with each update. The timeline is further detailed in the following section:\" class=\"wp-image-106101\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/02\/UpdateAgent-Timeline-1024x593.png 1024w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/02\/UpdateAgent-Timeline-300x174.png 300w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/02\/UpdateAgent-Timeline-768x445.png 768w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/02\/UpdateAgent-Timeline-1536x889.png 1536w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/02\/UpdateAgent-Timeline.png 1838w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption><em>Figure 1. Tracking the evolution of UpdateAgent<\/em><\/figcaption><\/figure>\n<ul>\n<li><strong>September\u2013December 2020:<\/strong> The initial version of UpdateAgent was considered to be a fairly basic information-stealer. At the time, the malware was only capable of performing reconnaissance to scan and collect system information such as product names and versions. Once gathered, the data was then sent as heartbeats to the malware\u2019s C2 server.<\/li>\n<\/ul>\n<ul>\n<li><strong>January\u2013February 2021:<\/strong> Approximately two months later, UpdateAgent maintained its original capabilities and added a new one: the ability to fetch secondary payloads as <em>.dmg<\/em> files from public cloud infrastructure. DMG files are mountable disk images used to distribute software and apps to macOS, allowing the trojan to easily install additional programs on affected devices.<\/li>\n<\/ul>\n<ul>\n<li><strong>March 2021:<\/strong> Upon its third update, the malware altered one of its prior functions to fetch secondary payloads as <em>.zip<\/em> files instead of <em>.dmg<\/em> files. The malware\u2019s developer also included two new capabilities: the ability to bypass Gatekeeper by removing the downloaded file\u2019s quarantine attribute and the ability to create a PLIST file that is added to the <em>LaunchAgent<\/em> folder. The quarantine attribute forces Gatekeeper to block the launch of any file downloaded from the web or other unknown sources, and it also displays a pop-up warning that users cannot open the respective file as \u201cit is from an unidentified developer\u201d. By removing the attribute, the malware both prevented the pop-up message warning users and allowed the files to launch without being blocked by Gatekeeper. Moreover, as the <em>LaunchAgent <\/em>folder specifies which apps and code automatically run each time a user signs into the machine, adding the malware\u2019s PLIST file allowed it to be included in these automatic launches for persistence upon users signing into the affected device.<\/li>\n<\/ul>\n<ul>\n<li><strong>August 2021:<\/strong> The malware\u2019s fourth update further altered some of its prior capabilities. For one, it expanded its reconnaissance function to scan and collect System_profile and SPHardwaretype information. Additionally, UpdateAgent was changed to create and add PLIST files to the <em>LaunchDaemon<\/em> folder instead of the <em>LaunchAgent<\/em> folder. While targeting the <em>LaunchDaemon <\/em>folder instead of the <em>LaunchAgent <\/em>folder required administrative privileges, it permitted the malware to inject persistent code that ran as root. This code generally takes the form of background processes that don\u2019t interact with users, thus it also improved the trojan\u2019s evasiveness.<\/li>\n<\/ul>\n<ul>\n<li><strong>October 2021:<\/strong> We detected the latest variants of UpdateAgent just over a year since its release into the wild. Sporting many of the updates found in the August 2021 variant, UpdateAgent still performed system reconnaissance, communicated with the C2 server as heartbeats, and bypassed Gatekeeper. Additionally, the October update expanded the malware\u2019s ability to fetch secondary payloads as both <em>.dmg<\/em> or <em>.zip<\/em> files from public cloud infrastructure, rather than choosing between filetypes. Among its new capabilities, UpdateAgent included the ability to enumerate LSQuarantineDataURLString using SQLite in order to validate whether the malware\u2019s downloaded app is within the Quarantine Events database where it would be assigned a quarantine attribute. The upgrade also allowed the malware to leverage existing user profiles to run commands requiring sudo access in addition to the ability to add arguments using PlistBuddy to create and edit PLIST files more easily. Lastly, the trojan included the ability to modify sudoers list, allowing the malware to bypass a prompt requiring high privilege user credentials while running UpdateAgent\u2019s downloaded app.<\/li>\n<\/ul>\n<h3>October 2021 Campaign<\/h3>\n<p>In the <a href=\"https:\/\/twitter.com\/MsftSecIntel\/status\/1451279679059488773\">October 2021 campaign<\/a>, UpdateAgent included a larger set of sophisticated techniques than ever previously observed. The attackers distributed the trojanized app in <em>.zip <\/em>or <em>.pkg<\/em> format, conforming with a campaign observed in early 2021:<\/p>\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"1024\" height=\"445\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/02\/UpdateAgent-Attack-Chain-1024x445.png\" alt=\"The attack chain of the latest UpdateAgent campaign depicts the trojan first arriving by posing as legitimate software and is distributed via drive-by download. Once installed, it then performs reconnaissance and collects system information before leveraging existing user privileges to create folders and elevate permissions. It then downloads Adload adware from public cloud infrastructure and bypasses Gatekeeper by removing the downloaded file's quarantine attribute. UpdateAgent then adds and modifies the PLIST file using PLIST buddy and adds the modified PLIST to created LaunchAgents or LaunchDaemon folder for persistence. The trojan sends heartbeats to the C2 server with the collected information and then covers its tracks by removing the files and folders from the device.\" class=\"wp-image-106104\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/02\/UpdateAgent-Attack-Chain-1024x445.png 1024w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/02\/UpdateAgent-Attack-Chain-300x130.png 300w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/02\/UpdateAgent-Attack-Chain-768x333.png 768w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/02\/UpdateAgent-Attack-Chain.png 1345w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption><em>Figure 2. Attack chain of the latest UpdateAgent campaign<\/em><\/figcaption><\/figure>\n<p>Upon analyzing UpdateAgent\u2019s infrastructure, we determined that the infrastructure used in the October 2021 campaign was created at the end of September 2021, and we also discovered additional domains with payloads. This indicates that the trojan is still in the developmental stage and is likely to add or modify its capabilities in future updates and continue its track of improving its overall level of sophistication.<\/p>\n<p>We further observed two separate variants of the UpdateAgent trojan in its October 2021 campaign. Each variant leveraged different tactics to infect a device, as detailed below:<\/p>\n<h3>Variant 1<\/h3>\n<p>The first variant of UpdateAgent takes the following steps to infect a device:<\/p>\n<ol type=\"1\">\n<li>A <em>.zip <\/em>file named <em>HelperModule.zip<\/em> downloads and installs UpdateAgent using a specific file path &#8211; <em>\/Library\/Application Support\/xxx\/xxx. <\/em>This <em>.zip<\/em> file is installed in <em>\/Library\/Application Support\/Helper\/HelperModule.<\/em><\/li>\n<li>UpdateAgent collects operating system and hardware information about the affected device. Once the compromised device connects to the C2 server, the trojan uses a <em>curl <\/em>request to send this data to the C2 server.<\/li>\n<li>Upon successful connection, UpdateAgent requests a secondary payload, usually a <em>.dmg<\/em> or <em>.zip<\/em> file, which is hosted on a CloudFront instance.<\/li>\n<li>Once the secondary payload downloads, UpdateAgent uses the <em>xattr <\/em>command &#8211; <em>\/usr\/bin\/xattr -rc \/tmp\/setup.dmg, <\/em>to remove the quarantine attribute of downloaded files and bypass Gatekeeper controls.<\/li>\n<li>UpdateAgent then extracts the secondary payload (.<em>dmg <\/em>or <em>.zip). <\/em>Once the file is mounted, it unzips and copies the payload files to a temporary folder, assigning executable permissions, and launches these files. UpdateAgent also uses PlistBuddy to create PLIST files under the <em>LaunchAgent<\/em> folder to remain persistent through system restart.<\/li>\n<li>UpdateAgent removes evidence by deleting the secondary payload, temporary folders, PLIST files, and all other downloaded artifacts.<\/li>\n<\/ol>\n<h3>Variant 2<\/h3>\n<p>The second variant of UpdateAgent takes the following steps to infect a device:<\/p>\n<ol type=\"1\">\n<li>A third-party WebVideoPlayer application (WebVideoPlayer.pkg) with a post-install script downloads additional apps or <em>.zip<\/em> files as <em>\/Applications\/WebVideoPlayer.app\/Contents\/MacOS\/WebVideoPlayer<\/em>. Notably, this application included a valid certificate that was later revoked by Apple in October 2021.<\/li>\n<li>The application scans the user profile to identify existing user IDs and assigned groups.<\/li>\n<li>The WebVideoPlayer application uses SQLite3 commands to determine if the <em>.pkg<\/em> file is within the Quarantine Events database, which contains URLs of downloaded files, mail addresses, and subjects for saved attachments.<\/li>\n<li>The <em>.pkg<\/em> payload extracts and drops UpdateAgent in <em>\/Library\/Application Support\/WebVideoPlayer\/WebVideoPlayerAgent<\/em>.<\/li>\n<li>The WebVideoPlayer application also assigns executable permissions to UpdateAgent and attempts to remove the quarantine attribute of the file using the <em>xattr<\/em> command to bypass Gatekeeper controls.<\/li>\n<li>The application then launches UpdateAgent and collects and sends the OS information to the attacker\u2019s C2 server. Like the first variant, the second variant sends <em>curl<\/em> requests that download additional payloads, such as adware, and removes evidence by deleting all files and folders that it created.<\/li>\n<\/ol>\n<h3>Adload adware<\/h3>\n<p>UpdateAgent is further characterized by its ability to fetch secondary payloads that can increase the chances of multiple infections on a device, with the latest campaign pushing adware. We first observed UpdateAgent distributing adware as a secondary payload in its October 2021 campaign, identified as part of the Adload adware family by Microsoft Defender Antivirus.<\/p>\n<p>Similar to UpdateAgent, adware is often included in potentially unwanted or malicious software bundles that install the adware alongside impersonated or legitimate copies of free programs. In Adload\u2019s case, we previously observed the adware family targeting macOS users had spread via rogue installers often found on malicious websites.<\/p>\n<p>Once adware is installed, it uses ad injection software and techniques to intercept a device\u2019s online communications and redirect users\u2019 traffic through the adware operators\u2019 servers, injecting advertisements and promotions into webpages and search results. More specifically, Adload leverages a Person-in-The-Middle (PiTM) attack by installing a web proxy to hijack search engine results and inject advertisements into webpages, thereby siphoning ad revenue from official website holders to the adware operators.<\/p>\n<p>Adload is also an unusually persistent strain of adware. It is capable of opening a backdoor to download and install other adware and payloads in addition to harvesting system information that is sent to the attackers\u2019 C2 servers. Considering both UpdateAgent and Adload have the ability to install additional payloads, attackers can leverage either or both of these vectors to potentially deliver more dangerous threats to target systems in future campaigns.<\/p>\n<h2>Defending against macOS threats<\/h2>\n<p>UpdateAgent\u2019s evolution displays the increasing complexity of threats across platforms. Its developers steadily improved the trojan over the last year, turning a basic information-stealer into a persistent and more sophisticated piece of malware. This threat also exemplifies the trend of common malware increasingly harboring more dangerous threats, a pattern also observed in other platforms. UpdateAgent\u2019s ability to gain access to a device can theoretically be leveraged by attackers to introduce potentially more dangerous payloads, emphasizing the need to identify and block threats such as this.<\/p>\n<p>Defenders can take the following mitigation steps to defend against this threat:<\/p>\n<ul>\n<li>Encourage the use of&nbsp;<a href=\"https:\/\/www.microsoft.com\/edge\">Microsoft Edge<\/a>\u2014available on macOS and various platforms\u2014or other web browsers that support <a href=\"https:\/\/docs.microsoft.com\/deployedge\/microsoft-edge-security-smartscreen\">Microsoft Defender SmartScreen<\/a>, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that contain exploits and host malware.<\/li>\n<li>Restrict access to privileged resources, such as <em>LaunchDaemons <\/em>or <em>LaunchAgents <\/em>folders and sudoers files, through OSX&nbsp;enterprise management solutions. This helps to mitigate common persistence and privilege escalation techniques.<\/li>\n<li>Install apps from trusted sources only, such as a software platform\u2019s official app store. Third-party sources may have lax standards for the applications that they host, allowing malicious actors to upload and distribute malware.<\/li>\n<li>Run the latest version of your operating systems&nbsp;and applications. Deploy the latest security updates as soon as they become available.<\/li>\n<\/ul>\n<p>As organizational environments are intricate and heterogenous, running multiple applications, clouds, and devices, they require solutions that can protect across platforms. <a href=\"https:\/\/www.microsoft.com\/security\/business\/threat-protection\/endpoint-defender\">Microsoft Defender for Endpoint<\/a> offers cross-platform security and a unified investigation experience that gives customers visibility across all endpoints and enables them to detect, manage, respond, and remediate threats, such as the capability to detect UpdateAgent\u2019s anomalous use of PlistBuddy.<\/p>\n<p>Microsoft Defender for Endpoint customers can apply the following mitigations to reduce the environmental attack surface and mitigate the impact of this threat and its payloads:<\/p>\n<ul>\n<li>Turn on&nbsp;<a href=\"https:\/\/docs.microsoft.com\/microsoft-365\/security\/defender-endpoint\/mac-preferences?view=o365-worldwide#cloud-delivered-protection-preferences\">cloud-delivered protection<\/a>&nbsp;and <a href=\"https:\/\/docs.microsoft.com\/microsoft-365\/security\/defender-endpoint\/mac-preferences?view=o365-worldwide#enable--disable-automatic-sample-submissions\">automatic sample submission<\/a> on&nbsp;Microsoft Defender&nbsp;Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.&nbsp;<\/li>\n<li>Enable <a href=\"https:\/\/docs.microsoft.com\/microsoft-365\/security\/defender-endpoint\/mac-pua?view=o365-worldwide\">potentially unwanted application (PUA) protectio<\/a>n in block mode to automatically quarantine PUAs like adware. PUA blocking takes effect on endpoint clients after the next signature update or computer restart. PUA blocking takes effect on endpoint clients after the next signature update or computer restart.<\/li>\n<li>Turn on <a href=\"https:\/\/docs.microsoft.com\/microsoft-365\/security\/defender-endpoint\/network-protection?view=o365-worldwide\">network protection<\/a> to block connections to malicious domains and IP addresses.<\/li>\n<\/ul>\n<p>Defender for Endpoint\u2019s next-generation protection reinforces network security perimeters and includes antimalware capabilities to catch emerging threats, including UpdateAgent and its secondary payloads, C2 communications, and other malicious artifacts affiliated with the trojan\u2019s reconnaissance activities. Moreover, macOS antimalware detections provide insight into where a threat originated and how the malicious process or activity was created, providing security teams a comprehensive view of incidents and attack chains.<\/p>\n<p>Finally, this research underscores the importance of understanding a macOS threat\u2019s progression to not only remedy its current abilities, but to prepare for increased capabilities and sophistication of the threat. As threats on other OS platforms continue to grow, our security solutions must secure users\u2019 computing experiences be it a Windows or non-Windows machine. By sharing our research and other forms of threat intelligence, collaboration across the larger security community can aid in enriching our protection technologies, regardless of the platform or device in use.<\/p>\n<h3>Detection details<\/h3>\n<p><strong>Antivirus<\/strong><\/p>\n<p>Microsoft Defender Antivirus detects threat components and behavior as the following malware:<\/p>\n<ul>\n<li><a href=\"https:\/\/www.microsoft.com\/en-us\/wdsi\/threats\/malware-encyclopedia-description?Name=Trojan:MacOS\/UpdateAgent.B&amp;threatId=-2147170658\">Trojan:MacOS\/UpdateAgent.B<\/a><\/li>\n<li><a href=\"https:\/\/www.microsoft.com\/en-us\/wdsi\/threats\/malware-encyclopedia-description?Name=Trojan:MacOS\/UpdateAgent.A&amp;threatId=-2147170350\">Trojan:MacOS\/UpdateAgent.A<\/a><\/li>\n<li><a href=\"https:\/\/www.microsoft.com\/en-us\/wdsi\/threats\/malware-encyclopedia-description?Name=Trojan:MacOS\/Agent.A&amp;threatId=-2147191009\">Trojan:MacOS\/Agent.A<\/a><\/li>\n<li><a href=\"https:\/\/www.microsoft.com\/en-us\/wdsi\/threats\/malware-encyclopedia-description?Name=Adware:MacOS\/Adload.A&amp;threatId=312991\">Adware:MacOS\/Adload.A<\/a><\/li>\n<li><a href=\"https:\/\/www.microsoft.com\/en-us\/wdsi\/threats\/malware-encyclopedia-description?Name=Behavior:MacOS\/UpdateAgent.B&amp;threatId=-2147170477\">Behavior:MacOS\/UpdateAgent.B<\/a><\/li>\n<\/ul>\n<p><strong>Endpoint detection and response (EDR)<\/strong><\/p>\n<p>Alerts with the following titles in the Microsoft 365 Security Center can indicate threat activity within your network:<\/p>\n<ul>\n<li>macOS Gatekeeper bypass<\/li>\n<li>Executable permission added to file or directory<\/li>\n<li>Suspicious database access<\/li>\n<li>Suspicious System Hardware Discovery<\/li>\n<li>Suspicious binary dropped and launched<\/li>\n<\/ul>\n<h3>Advanced hunting<\/h3>\n<p>To locate activity related to UpdateAgent, run the following advanced hunting queries in Microsoft 365 Defender or Microsoft Defender Security Center.<\/p>\n<p><strong>File quarantine attribute<\/strong><\/p>\n<p>Look for file quarantine attribute removal for the specific packages involved in the campaign.&nbsp;<\/p>\n<pre class=\"wp-block-preformatted\">DeviceProcessEvents | where FileName has \"xattr\" and (ProcessCommandLine has \"-rc Library\/Application Support\/WebVideoPlayer\/WebVideoPlayerAgent\" or ProcessCommandLine has \"-r -d \/Library\/Application Support\/Helper\/HelperModule\")<\/pre>\n<p><strong>Quarantine Event database<\/strong><\/p>\n<p>Look for quarantine event database enumeration through <em>sqlite3<\/em> for the packages involved in the campaign.&nbsp;<\/p>\n<pre class=\"wp-block-preformatted\">DeviceProcessEvents | where FileName has \"sqlite3\" and ProcessCommandLine has \"WebVideoPlayer.pkg\"<\/pre>\n<p><strong>Curl request<\/strong><\/p>\n<p>Look for UpdateAgent\u2019s&nbsp; curl requests.<\/p>\n<pre class=\"wp-block-preformatted\">DeviceProcessEvents | where FileName has \"curl\" and ProcessCommandLine has \"--connect-timeout 900 -L\"<\/pre>\n<h3>Indicators<\/h3>\n<p><strong>Files (SHA-256)<\/strong><\/p>\n<ul>\n<li>1966d64e9a324428dec7b41aca852034cbe615be1179ccb256cf54a3e3e242ee<\/li>\n<li>ef23a1870d84e164a4234074251205190a5dfda9f465c8eee6c7e0d6878c2b05<\/li>\n<li>519339e67b1d421d51a0f096e80a57083892bac8bb16c7e4db360bb0fda3cb11<\/li>\n<li>cc2f246dda46b17e9302242879788aa114ee64327c8de43ef2b9ab56e8fb57b2<\/li>\n<li>5c1704367332a659f6e10d55d08a3e0ab1bd26aa97654365dc82575356c80502<\/li>\n<li>c60e210f73d5335f57f367bd7e166ff4c17f1073fd331370eb63342ab1c82238<\/li>\n<li>f01dec606db8f66489660615c777113f9b1180a09db2f5d19fb5bca7ba3c28c7<\/li>\n<li>4f1399e81571a1fa1dc822b468453122f89ac323e489f57487f6b174940e9c2e<\/li>\n<li>9863bc1917af1622fdeebb3bcde3f7bebabcb6ef13eae7b571c8a8784d708d57<\/li>\n<li>a1fba0bb0f52f25267c38257545834a70b82dbc98863aee01865a2661f814723<\/li>\n<li>81cfa53222fa473d91e2a7d3a9591470480d17535d49d91a1d4a7836ec943d3a<\/li>\n<li>78b4478cd3f91c42333561abb9b09730a88154084947182b2ec969995b25ad78<\/li>\n<li>91824c6a36ef60881b4f502102b0c068c8a3acd4bceb86eb4ffd1043f7990763<\/li>\n<li>86b45b861a8f0855c97cc38d2be341cc76b4bc1854c0b42bdca573b39da026ac<\/li>\n<li>84ff961552abd742cc2393dde20b7b3b7b2cfb0019c80a02ac24de6d5fcc0db4<\/li>\n<li>0ee6c8fd43c03e8dc7ea081dfa428f22209ed658f4ae358b867de02030cfc69b<\/li>\n<li>443b6173ddfbcc3f19d69f60a1e5d72d68d28b7323fe2953d051b32b4171aa9a<\/li>\n<li>409f1b4aeb598d701f6f0ed3b49378422c860871536425f7835ed671ba4dd908<\/li>\n<li>77f084b5fc81c9c885a9b1683a12224642072f884df9e235b78941a1ad69b80d<\/li>\n<li>cbabbbb270350d07444984aa0ce1bb47078370603229a3f03a431d6b7a815820<\/li>\n<li>053fbb833ac1287d21ae96b91d9f5a9cfdd553bc41f9929521d4043e91e96a98<\/li>\n<li>29e3d46867caddde8bb429ca578dd04e5d7112dd730cd69448e5fb54017a2e30<\/li>\n<li>356d429187716b9d5562fe6eee35ea60b252f1845724b0a7b740fbddec73350f<\/li>\n<li>a98ecd8f482617670aaa7a5fd892caac2cfd7c3d2abb8e5c93d74c344fc5879c<\/li>\n<li>c94760fe237da5786464ec250eadf6f7f687a3e7d1a47e0407811a586c6cb0fc<\/li>\n<li>eb71d15308bfcc00f1b80bedbe1c73f1d9e96fd55c86cf420f1f4147f1604f67<\/li>\n<li>0c08992841d5a97e617e72ade0c992f8e8f0abc9265bdca6e09e4a3cb7cb4754<\/li>\n<li>738822e109f1b14413ee4af8d3d5b2219293ea1a387790f207d937ca11590a14<\/li>\n<li>0d9f861fe4910af8299ac3cb109646677049fa9f3188f52065a47e268438b107<\/li>\n<li>a586ef06ab8dd6ad1df77b940028becd336a5764caf097103333975a637c51fa<\/li>\n<li>73a465170feed88048dbc0519fbd880aca6809659e011a5a171afd31fa05dc0b<\/li>\n<li>d5c808926000bacb67ad2ccc4958b2896ea562f27c0e4fc4d592c5550e39a741<\/li>\n<li>7067e6a69a8f5fdbabfb00d03320cfc2f3584a83304cbeeca7e8edc3d57bbbd4<\/li>\n<li>939cebc99a50989ffbdbb2a6727b914fc9b2382589b4075a9fd3857e99a8c92a<\/li>\n<li>c5017798275f054ae96c69f5dd0b378924c6504a70c399279bbf7f33d990d45b<\/li>\n<li>57d46205a5a1a5d6818ecd470b61a44aba0d935f256265f5a26d3ce791038fb4<\/li>\n<li>e8d4be891c518898dd3ccdff4809895ed21558d90d415cee868bebdab2da7397<\/li>\n<li>9f1989a04936cd8de9f5f4cb1f5f573c1871b63737b42d18ac4fa337b089cbdc<\/li>\n<li>b55c806367946a70d619f25e836b6883a36c9ad22d694a173866b57dfe8b29c9<\/li>\n<li>e46b09b270552c7de1311a8b24e3fcc32c8db220c03ca0d8db05e08c76e536f1<\/li>\n<li>f9842e31ed16fe0173875c38a41ed3a766041350b4efcd09da62718557ca3033<\/li>\n<li>bad5dc1dd6ff19f9fb1af853a8989c1b0fdfeaa4c588443607de03fccf0e21c9<\/li>\n<\/ul>\n<p><strong>Download URLs<\/strong><\/p>\n<ul>\n<li>hxxps:\/\/d35ep4bg5x8d5j[.]cloudfront[.]net\/pkg<\/li>\n<li>hxxps:\/\/d7rp2fva69arq[.]cloudfront[.]net\/pkg<\/li>\n<li>hxxps:\/\/daqi268hfl8ov[.]cloudfront[.]net\/pkg<\/li>\n<li>hxxps:\/\/events[.]optimizerservices[.]com\/pkg<\/li>\n<li>hxxps:\/\/ekogidekinvgwyzmeydw[.]s3[.]amazonaws[.]com\/OptimizerProcotolStatus[.]zip<\/li>\n<li>hxxps:\/\/lnzjvpeyarvvvtljxsws[.]s3[.]amazonaws[.]com\/ConsoleSoftwareUpdateAgent[.]zip<\/li>\n<li>hxxps:\/\/qqirhvehhnvuemxezfxc[.]s3[.]amazonaws[.]com\/ModuleAgent[.]zip<\/li>\n<li>hxxps:\/\/dpqsxofvslaxjaiyjdok[.]s3[.]amazonaws[.]com\/ProtocolStatus[.]zip<\/li>\n<li>hxxps:\/\/oldbrlauserz[.]s3[.]amazonaws[.]com\/setup[.]zip<\/li>\n<li>hxxps:\/\/grxqorfazgqbmzeetpus[.]s3[.]amazonaws[.]com\/SetupUpdateAgent[.]zip<\/li>\n<li>hxxps:\/\/phdhrhdsp[.]s3[.]amazonaws[.]com\/setup[.]zip<\/li>\n<li>hxxps:\/\/xyxeaxtugahkwrcvbzsw[.]s3[.]amazonaws[.]com\/BundleAgent[.]zip<\/li>\n<li>[.]s3[.]amazonaws[.]com\/GuideServices[.]zip<\/li>\n<li>hxxps:\/\/tnkdcxekehzpnpvimdwquzwzgpehlnwgizrlmzev[.]s3[.]amazonaws[.]com\/HelperModule[.]zip<\/li>\n<li>hxxps:\/\/svapnilpkasjmwtygfstkhsdfrraa[.]s3[.]amazonaws[.]com\/WizardUpdate[.]zip<\/li>\n<\/ul>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/www.microsoft.com\/security\/blog\/2022\/02\/02\/the-evolution-of-a-mac-trojan-updateagents-progression\/\">The evolution of a Mac trojan: UpdateAgent\u2019s progression<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/www.microsoft.com\/security\/blog\">Microsoft Security Blog<\/a>.<\/p>\n<p><a href=\"https:\/\/www.microsoft.com\/security\/blog\/2022\/02\/02\/the-evolution-of-a-mac-trojan-updateagents-progression\/\" target=\"bwo\" >https:\/\/blogs.technet.microsoft.com\/mmpc\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Microsoft 365 Defender Threat Intelligence Team| Date: Wed, 02 Feb 2022 17:00:00 +0000<\/strong><\/p>\n<p>Our discovery and analysis of a sophisticated Mac trojan in October exposed a year-long evolution of a malware family\u2014and depicts the rising complexity of threats across platforms. <\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/www.microsoft.com\/security\/blog\/2022\/02\/02\/the-evolution-of-a-mac-trojan-updateagents-progression\/\">The evolution of a Mac trojan: UpdateAgent\u2019s progression<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/www.microsoft.com\/security\/blog\">Microsoft Security Blog<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10759,10378],"tags":[10468,4500,10403,24531,22453,24740],"class_list":["post-18132","post","type-post","status-publish","format-standard","hentry","category-microsoft","category-security","tag-adware","tag-cybersecurity","tag-macos","tag-microsoft-365-defender","tag-microsoft-security-intelligence","tag-updateagent"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18132","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=18132"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18132\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=18132"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=18132"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=18132"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}