Microsoft shares details about sophisticated UpdateAgent trojan targeting Macs

A skull overlay on a Macbook

Cybersecurity continues to be an evolving domain, both for threat actors and security experts. That said, one positive that has come out of it recently is the fact that companies are more willing to share information with partners, experts, and the larger community to collaboratively tackle threats. An example of this is Microsoft working with Apple to patch the "Shrootless" vulnerability in macOS devices. Now, the Redmond tech firm has provided detailed information about a sophisticated trojan that is targeting Macs.

Microsoft says that the trojan is dubbed "UpdateAgent" and emerged back in September 2020 as a relatively basic information-stealer. However, since then, it has evolved quite a lot and its recent iterations have actually been known to distribute secondary payload, such as the Adload adware. Microsoft has cautioned that UpdateAgent's constantly evolving persistent infiltration methods means that it could evolve even further in future campaigns and distribute more dangerous payload.

UpdateAgent usually poses as legitimate software that users download on their Macs. It then bypasses several macOS controls to persist in the device. An example of this is bypassing of Gatekeeper, which was made to ensure that only trusted apps can run on your hardware. The trojan then utilizes existing user permissions to perform malicious activity, following which it covers its tracks.

Microsoft also noted that UpdateAgent downloads its malicious payload from S3 buckets and Cloudfront on AWS. So the company has worked together with Amazon to take down some known problematic URLs. The evolution of UpdateAgent from its first appearance in September 2020 to its latest campaign in October 2021 can be seen in the graphic below:

A graphic showing the evolution of UpdateAgent trojan

Microsoft stated that the October 2021 campaign for UpdateAgent was its most sophisticated yet. The trojan was packed in .zip and .pkg formats and was distributed via drive-by downloads but the end-result also included modification of the Sudoer's list. Microsoft's investigation also revealed that the infrastructure for the latest attack was created in September 2021, with additional malicious domains spotted too. This indicates that UpdateAgent is actively being developed and may continue to become more sophisticated and dangerous down the line.

The company had the following details to share regarding the existing Adload adware payload:

Once adware is installed, it uses ad injection software and techniques to intercept a device’s online communications and redirect users’ traffic through the adware operators’ servers, injecting advertisements and promotions into webpages and search results. More specifically, Adload leverages a Person-in-The-Middle (PiTM) attack by installing a web proxy to hijack search engine results and inject advertisements into webpages, thereby siphoning ad revenue from official website holders to the adware operators.

Adload is also an unusually persistent strain of adware. It is capable of opening a backdoor to download and install other adware and payloads in addition to harvesting system information that is sent to the attackers’ C2 servers. Considering both UpdateAgent and Adload have the ability to install additional payloads, attackers can leverage either or both of these vectors to potentially deliver more dangerous threats to target systems in future campaigns.

For the time being, Microsoft has some recommendations for protection against UpdateAgent. For the public, these include restricted access to privileged resources, installation of apps from trusted sources only, deployment of latest software security updates, and the use of Microsoft Edge which blocks malicious websites automatically. Meanwhile, organizations are encouraged to do all of the above and use Microsoft Defender for Endpoint too.

Microsoft hopes that by sharing all of this information, it has emphasized the threat of evolving malware and the type of security solutions that vendors must offer to protect Windows and non-Windows machines. It has also shared some Advanced hunting queries and indicators of compromise (IoCs) that you can read more about here.

Report a problem with article
Project Circuit Breaker
Next Article

Intel expands its Bug Bounty Program with the launch of Project Circuit Breaker

Twitter logo on a dark background with a pen and paper at the bottom
Previous Article

Twitter still won't let you edit tweets, but it may let you write longform articles

10 Comments - Add comment

Advertisement