Michael in Tennessee sent this article to the Security Box Email list. Its titled Mac malware spreading for ~14 months is growing increasingly aggressive and comes to us from Ars Technica.
There are two components to this malware, an update component and an add network stealer component.
The UpdateAgent malware family began circulating no later than November or December 2020 as a relatively basic information-stealer. It collected product names, version numbers, and other basic system information. Its methods of persistence—that is, the ability to run each time a Mac boots—were also fairly rudimentary.
It introduces something called Person in the middle instead of man in the middle.
Microsoft researchers wrote:
Once adware is installed, it uses ad injection software and techniques to intercept a device’s online communications and redirect users’ traffic through the adware operators’ servers, injecting advertisements and promotions into webpages and search results. More specifically, Adload leverages a Person-in-The-Middle (PiTM) attack by installing a web proxy to hijack search engine results and inject advertisements into webpages, thereby siphoning ad revenue from official website holders to the adware operators.
Adload is also an unusually persistent strain of adware. It is capable of opening a backdoor to download and install other adware and payloads in addition to harvesting system information that is sent to the attackers’ C2 servers. Considering both UpdateAgent and Adload have the ability to install additional payloads, attackers can leverage either or both of these vectors to potentially deliver more dangerous threats to target systems in future campaigns.
The thing that this also does is removing a flag that tells Gatekeeper to look for something like this.
Before installing the adware, UpdateAgent now removes a flag that a macOS security mechanism called Gatekeeper adds to downloaded files. (Gatekeeper ensures users receive a warning that new software comes from the Internet, and it also ensures the software doesn’t match known malware strains.) While this malicious capability isn’t novel— Mac malware from 2017 did the same thing—its incorporation into UpdateAgent indicates the malware is under regular development.
I mentioned and asked about Gate Keeper in a Mac Buzz talk on Clubhouse after seeing an article I blogged about and it was determined that gatekeeper is like Windows Defender or any other type of AntiVirus program fpor today.
In this article, it does link to Apple’s support document, which I think I want to read.
Microsoft said UpdateAgent masquerades as legitimate software, such as video apps or support agents, that is spread through pop-ups or ads on hacked or malicious websites. Microsoft didn’t explicitly say so, but users apparently must be tricked into installing UpdateAgent, and during that process, Gatekeeper works as designed.
In many ways, the evolution of UpdateAgent is a microcosm for the macOS malware landscape as a whole: malware continues to become more advanced. Mac users should learn how to spot social engineering lures, such as unsolicited pop-ups appearing in browser windows that warn of infections or unpatched software.
There’s more that I didn’t quote or write about, please check the full article for complete details. Stay safe!
Discover more from The Technology blog and podcast
Subscribe to get the latest posts sent to your email.