Security News > 2021 > October > Microsoft: WizardUpdate Mac malware adds new evasion tactics

Microsoft: WizardUpdate Mac malware adds new evasion tactics
2021-10-22 15:14

Microsoft says it found new variants of macOS malware known as WizardUpdate, updated to use new evasion and persistence tactics.

The trojan will deploy second-stage malware payloads, including a malware variant tracked as Adload, active since late 2017 and known for being able to slip through Apple's YARA signature-based XProtect built-in antivirus to infect Macs.

"UpdateAgent abuses public cloud infrastructure to host additional payloads and attempts to bypass Gatekeeper, which is designed to ensure that only trusted apps run on Mac devices, by removing the downloaded file's quarantine attribute," Microsoft said.

AdLoad, one of the second-stage payloads delivered by WizardUpdate on compromised Macs, also hijacks search engine results and injects advertisements into web pages for monetary gain using a Man-in-The-Middle web proxy.

Although both WizardUpdate and AdLoad now only deploy adware and bundleware as secondary payloads, they can switch at any time to more dangerous malware such as wipers or ransomware.

"Today, we have a level of malware on the Mac that we don't find acceptable and that is much worse than iOS," said Craig Federighi, Apple's head of software, in May 2021 under oath while testifying in the Epic Games vs. Apple trial.


News URL

https://www.bleepingcomputer.com/news/security/microsoft-wizardupdate-mac-malware-adds-new-evasion-tactics/