Microsoft has discovered a new variant of macOS malware known as WizardUpdate (also tracked as UpdateAgent or Vigram) and recommends using workarounds and other methods.
UpdateAgent attempts to circumvent Gatekeeper, which is designed to only run trusted applications on Mac devices, by exploiting the public cloud infrastructure to host additional payloads and remove quarantine attributes of downloaded files. By removing the quarantine attribute of downloaded files, UpdateAgent attempts to circumvent Gatekeeper, which is designed to only run trusted applications on Mac devices.
Microsoft security experts have discovered that the latest variant, discovered in early October 2021, is likely being distributed as a drive-by download, similar to when threat intelligence firm Confiant found it camouflaged as a Flash installer in January.
They discovered that it was spoofing legitimate software.
WizardUpdate appears to have been updated many times by developers since the first variant was identified in November 2020, as it was only able to collect and leak system information.
The samples collected by Microsoft researchers in October have several upgrades, including the following features.
- Deploy secondary payload downloaded from cloud infrastructure
- Get complete download history of infected Macs by enumerating LSQuarantineDataURLString using SQLite
- Avoid Gatekeeper by removing quarantine attributes from downloaded payloads
- Modify PLIST files using PlistBuddy
- Execute commands using existing user profiles
- Sudo to give normal users administrative privileges
This Trojan has been active since late 2017, and includes a variant of malware tracked as Adload, known to be able to slip past Apple’s YARA signature-based XProtect built-in antivirus and infect Macs, as well as a second-stage It deploys malware payloads.
UpdateAgent attempts to circumvent Gatekeeper, which is designed to run only trusted apps on Mac devices, by exploiting the public cloud infrastructure to host additional payloads and remove quarantine attributes from downloaded files.
They also attempt to circumvent Gatekeeper, which is designed to ensure that only trusted apps run on Mac devices by removing the quarantine attribute of downloaded files.
It also uses existing user permissions to create folders on the infected device.
It also uses PlistBuddy to create, modify, and persist the LaunchAgent/LaunchDeamon plist.
WizardUpdate developers have also included an evasion feature in the latest variant, allowing you to hide your tracks by deleting folders, files, and other artifacts created on the infected Mac
Malware on Mac is “worse than iOS”
AdLoad, one of the second-stage payloads delivered to infected Macs by WizardUpdate, uses Man-in-The-Middle (MiTM) web proxies to hijack search engine results and inject ads into web pages for financial gain. It also injects ads into web pages for financial gain.
LaunchAgents and LaunchDaemon also increase persistence by adding a user cronjob that is set to run every 2.5 hours in some cases.
Phil Stokes, a threat researcher at SentinelOne, was monitoring AdLoad campaigns since November 2020, when WizardUpdate was first discovered, and found hundreds of samples, about 150 of which were About 150 of these samples were undetected by Apple’s built-in antivirus.
Many of the samples detected by Stokes were signed with a valid Developer ID certificate issued by Apple, and some were notarized to work with Gatekeeper’s default settings.
“WizardUpdate” and “AdLoad” are currently only deploying adware and bundleware as secondary payloads, but it appears that they can switch to more dangerous malware such as wipers and ransomware at any time.
Craig Federighi, head of Apple’s software division, said, “Malware on Macs these days is at a level we can’t tolerate, and it’s behaving much worse than iOS.