Microsoft Details Evolution of Sophisticated UpdateAgent Mac Malware

Microsoft Details Evolution of Sophisticated UpdateAgent Mac Malware

Microsoft has shared some important details about the evolution of a malware called “UpdateAgent” that started targeting Mac devices in 2020. Yesterday, Microsoft’s threat intelligence team warned users that the new variants of this trojan have become more sophisticated, and they are currently installing adware payloads on infected Mac machines.

The UpdateAgent malware was first discovered back in September 2020, which was used by threat actors to steal information like product names, version numbers, and other minor details on Mac devices. However, Microsoft reports that UpdateAgent has become increasingly sophisticated over time. The trojan can now bypass several macOS controls to persist and run each time the Mac system boots. Consequently, UpdateAgent can easily exploit user permissions to perform malicious activities.

Microsoft also found that UpdateAgent downloads its additional payloads directly from
Amazon Web Services‘ S3 and CloudFront services. Fortunately, Microsoft’s security researchers have collaborated with AWS to remove malicious links from its cloud services.

“Once adware is installed, it uses ad injection software and techniques to intercept a device’s online communications and redirect users’ traffic through the adware operators’ servers, injecting advertisements and promotions into webpages and search results,” the Microsoft 365 Defender threat intelligence team explained yesterday.

The UpdateAgent malware is distributed as legitimate software on malicious websites

Microsoft also highlighted that the UpdateAgent trojan usually poses as legitimate software distributed via advertisements or pop-ups on malicious websites. “More specifically, Adload leverages a Person-in-The-Middle (PiTM) attack by installing a web proxy to hijack search engine results and inject advertisements into webpages, thereby siphoning ad revenue from official website holders to the adware operators,” Microsoft noted.

You can see the evolution of the UpdateAgent trojan from September 2020 to October 2021 in the image below:

Microsoft Details Evolution of Sophisticated UpdateAgent Mac Malware

Microsoft has outlined a few suggestions to help users protect their Mac machines from this malware. The company recommends consumers to install the latest security patches, install applications from trusted sources, as well as switch to its new Edge browser on macOS to block malicious websites. Meanwhile, enterprise customers are also advised to use Microsoft Defender for Endpoint to protect Mac devices in their organization.