UpdateAgent is a malware dropper with a well-built infrastructure targeting macOS systems, and it seems that it has been updated once again. According to Jamf Threat Labs, changes were implemented to the dropper, primarily focused on new executables written in Swift.
These UpdateAgent executables “reach out to a registration server to pull down a new set of instructions in the form of a bash script,” the researchers said. It is notable that the malware relies on the AWS infrastructure to host its various payloads and apply its infection status updates to the server. These active changes showcase the malware authors’ intention to infect as many Mac users as possible.
UpdateAgent Dropper: What Is New?
The new variant exhibits many of the classical dropper features, the researchers said, including “minor system fingerprinting, endpoint registration and persistence.” The threat-hunting team received information about an increase in adware and malware threat prevention that looked like they came from the same source (malware family). The executable which was analyzed wasn’t signed and was running from the “/Library/Application Support” directory. The analysis revealed it was written in Swift and contained “suspiciously obfuscated (base64) strings.”
The new dropper also masquerades as Mach-O binaries dubbed “PDFCreator” and “ActiveDirectory”. Once executed, they establish a connection to a remote server and retrieve a bash script intended for execution. The bash scripts, called “activedirec.sh” or “bash_qolveevgclr.sh”, include a URL that leads to Amazon S3 buckets to download and run a second-stage disk image (DMG) file on the affected machine.
In conclusion, UpdateAgent has been famous for its well-constructed back-end allowing for easy updates. Despite that mainly adware families are dropping it, security researchers are worried that its creators may have other, more malicious plans for it in the future, considering its well-built infrastructure and frequent updates.