![](\"https:\/\/media.wired.com\/photos\/61fdceeb808412610f9e4ca2\/master\/pass\/Security-Mac-Malware-1235461684.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Dan Goodin, Ars Technica| Date: Mon, 07 Feb 2022 14:00:00 +0000<\/strong><\/p>\n Dan Goodin, Ars Technica<\/a><\/span><\/span><\/p>\n To revist this article, visit My Profile, then View saved stories<\/a>.<\/p>\n To revist this article, visit My Profile, then View saved stories<\/a>.<\/p>\n Mac malware known<\/span> as UpdateAgent has been spreading for more than a year, and it is growing increasingly malevolent as its developers add new bells and whistles. The additions include the pushing of an aggressive second-stage adware payload that installs a persistent backdoor on infected Macs.<\/p>\n This story originally appeared on Ars Technica<\/a>, a trusted source for technology news, tech policy analysis, reviews, and more. Ars is owned by WIRED's parent company, Cond\u00e9 Nast.<\/p>\n The UpdateAgent malware family began circulating no later than November or December 2020 as a relatively basic information-stealer. It collected product names, version numbers, and other basic system information. Its methods of persistence\u2014that is, the ability to run each time a Mac<\/a> boots\u2014were also fairly rudimentary.<\/p>\n Over time, Microsoft said<\/a> on Wednesday, UpdateAgent has grown increasingly advanced. Besides the data sent to the attacker server, the app also sends \u201cheartbeats\u201d that let attackers know if the malware<\/a> is still running. It also installs adware known as Adload.<\/p>\n Microsoft researchers wrote:<\/p>\n Once adware is installed, it uses ad injection software and techniques to intercept a device\u2019s online communications and redirect users\u2019 traffic through the adware operators\u2019 servers, injecting advertisements and promotions into webpages and search results. More specifically, Adload leverages a Person-in-The-Middle (PiTM) attack by installing a web proxy to hijack search engine results and inject advertisements into webpages, thereby siphoning ad revenue from official website holders to the adware operators.<\/em><\/p>\n Adload is also an unusually persistent strain of adware. It is capable of opening a backdoor to download and install other adware and payloads in addition to harvesting system information that is sent to the attackers\u2019 C2 servers. Considering both UpdateAgent and Adload have the ability to install additional payloads, attackers can leverage either or both of these vectors to potentially deliver more dangerous threats to target systems in future campaigns.<\/em><\/p>\n Before installing the adware, UpdateAgent now removes a flag that a macOS<\/a> security mechanism called Gatekeeper<\/a> adds to downloaded files. (Gatekeeper ensures users receive a warning that new software comes from the internet, and it also ensures the software doesn\u2019t match known malware strains.) While this malicious capability isn\u2019t novel\u2014Mac malware from 2017<\/a> did the same thing\u2014its incorporation into UpdateAgent indicates the malware is under regular development.<\/p>\n UpdateAgent\u2019s reconnaissance has been expanded to collect system profile<\/a> and SPHardwaretype<\/a> data, which, among other things, reveals a Mac\u2019s serial number. The malware also started modifying the LaunchDaemon folder instead of the LaunchAgent folder as before. While the change requires UpdateAgent to run as administrator, the change allows the trojan to inject persistent code that runs as root.<\/p>\n The following timeline illustrates the evolution.<\/strong><\/p>\n Once installed, the malware collects the system info and sends it to the attackers\u2019 control server and takes a host of other actions. The attack chain of the latest exploit looks like this:<\/strong><\/p>\n Microsoft said UpdateAgent masquerades as legitimate software, such as video apps or support agents, that is spread through pop-ups or ads on hacked or malicious websites. Microsoft didn\u2019t explicitly say so, but users apparently must be tricked into installing UpdateAgent, and during that process, Gatekeeper works as designed.<\/p>\n In many ways, the evolution of UpdateAgent is a microcosm for the macOS malware landscape as a whole: Malware continues to become more advanced. Mac users should learn how to spot social engineering lures, such as unsolicited popups appearing in browser windows that warn of infections or unpatched software.<\/p>\n This story originally appeared on<\/em> Ars Technica<\/em><\/a>.<\/em><\/p>\n