Follow us

UpdateAgent Mac malware exhibits new eluding tactics

Microsoft claimed UpdateAgent to be the latest adaption of macOS malware with new modification tactics

Published: October 26, 2021 By Ozair Malik

Update Agent, which continues to grow in sophistication being the latest in a series of upgrades, is having more eluding tactics

Image source – nytech.com

Microsoft claims that it founded the current form of macOS malware modified to use a new eluding and perseverance strategy for growing worldliness.

It is also pursued as WizardUpdate or Vigram. As WizardUpdate is the updated form of malware discovered earlier this month by Microsoft security experts.

It is probably being distributed through drive-by downloads. It mocks with the legitimate software exactly as it was when the threat intelligence firm Confiant founded its disguised as Flash Installers in January.

What is WizardUpdate?

WizardUpdate is an adware-type application having browser hijacker traits. It was founded by Adload, a well-known family of adware. It works by distributing intruding advertisement campaigns and promoting fake search engines by changing the browser settings.

Moreover, as most of the adware and browser hijackers have data tracking abilities for recruiting browser-related information.

WizardUpdate is characterized as a Potentially Unwanted Application/program (PUA/PUP). It is being promoted through the installation setup of DLVPlayer, another PUA.

Such software dispatches pop-ups, banners, coupons, surveys, full-page and intruding ads. Once clicked, intruding adds re-routes to malicious sites or even download/install the software.

Browser hijackers reallocate homepages, default search engines, and new tabs URLs to fake search engines.

Fake search engines provide redirection chains ending with Yahoo, Google, and other legitimate sites. It is not possible to recover a hijacked browser as they deny access to affected browser settings.

WizardUpdate malware installation on computer

PUA’s are mostly downloaded/installed along with other products or through bundling. Bundling is the fraudulent technique of pre-packing the malicious additions with regular software.

While downloading/installing software mostly users allows bundled content into their devices unconsciously.

Intrusive advertisements, when clicked, also execute scripts for downloading/installing software regardless of the user’s permissions. In some cases, PUA’s have “official” web pages for downloading.

How to avoid installation of such unwanted applications

While downloading/installing, use official web pages. Unofficial pages contain harmful and bundled content.

While downloading, please read the terms and conditions before accepting them. Intrusive advertisements redirect to malicious sites.

If you unintentionally redirect to such sites, then inspect the system and remove all browser extensions quickly. To activate and update installed programs, use official tools or functions.

Avoid activation of licensed software with the cracker. For eliminating WizardUpdate adware run a scan with Combo Cleaner Antivirus for macOS.

Characteristics of WizardUpdate malware

The mastermind Researchers of Microsoft had gathered a sample in October regarding the numerous updates highlighting the malware’s abilities.

  • Secondary payloads downloaded from cloud infrastructure can be deployed.
  • Snatch the full downloaded history for infected Macs by recounting LSQuarantineDataURLString through SQLite.
  • Through the removal of quarantine attributes from downloaded payloads, bypass the Gatekeepers.
  • PlistBuddy is used for modifying PLIST files.
  • For executing commands, support existing user profiles.
  • For assigning admin permissions to regular users, change the sudoers list.

Evolution of WizardUpdate malware with new variants and adware

Microsoft Researchers had described that the adware is provided with new capabilities and functionalities having increased endurance and evasion techniques.

It suggests that malware is difficult to detect and remove—moreover, the capability of malware to abuse public cloud infrastructure for hosting additional payloads.

Likewise, UpdateAgent, upon infection, installs new adware known as Adload. It belongs to the family of Adload malware.

After contaminating a targeted Mac, the malware scans and collects the system’s information and then sends it to its command-and-control (C2) server.

The most advanced capability of malware is to bypass Apple’s Gatekeepers security feature.

Evolution of WizardUpdate Trojan

The malware strengthens the existing user permissions for creating folders on infected devices. PlistBuddy is used for creating and modifying Plist in LaunchAgent/LaunchDeamon for perseverance. Then it covers its track by deleting created files, folders, and other artifacts.

Researchers tweeted

WizardUpdate malware spoofs legitimate software:

The modus operandi of the new form include spoofing the legitimate software.

Microsoft did not disclose yet which malware did software spoofing. However, the company claims that the new variant is spread through drive-by downloads.

An unintentional download of malware or malicious code by users on their Mac devices is categorized as a drive-by download.

It can simply refer to software downloaded with the user’s permission without understanding its results, for instance, virus mimicking gaming mods.

How Adload macOS malware adapt

The WizardUpdate Trojan will be deploying second-stage malware payloads involving a malware variant known as Adload.

Adload activated since late 2017, but developers have continued to adapt to avoid installation detection and repel attempts to remove malware.

Adload is an aggressive adware infection that supports the installation of a Man-in-The-Middle web proxy for redirecting the user’s web traffic through the intruder’s preferred servers. The ultimate purpose is to hijack and then redirect the user’s web browser for money-earning purposes.

What Adload do

Adload malware performs its installation and has several different names like kreberisec, Apollo, Aphrodite SearchDeamon, and many more.

The names are not randomly assigned, but some of them follow a pattern along the lines.

Adload malware names

Several recent names that are used include:

  1. “ElementarySignalSearchDaemon
  2. “NetSignalSearchDaemon”
  3. “SimpleSearchAppDaemon”
  4. “SearchQuesDaemon”
  5. “TrustedMacResultsSearchDaemon”
  6. “SearchQuest” and “ResultSync”

The Adload malware is known with almost two variants known to Apple’s XProtect definitions from November 2017 or earlier for some time. Versions of Adload are being reported in the wild by macOS users on Apple Support Communities forums.

Adload malware slips through Apple’s XProtect defenses

Adload malware variant is slipping through Apple’s YARA signature-based XProtect built-in antivirus for infecting Macs as it is the part of multiple campaigns followed by Cybersecurity firm SentinelOne.

Adload is a widely spread Trojan attacking the macOS platform since late 2017. It is used to deploy several malicious payloads, including adware and PUA.

The malware withdraws all system information which is later sent to remote servers monitored by operators.

UpdateAgent abuses public cloud infrastructure for hosting additional payloads and attempts for bypassing Gatekeeper that is created to guarantee that only trusted apps run on Mac devices, by dispatching the downloaded file’s quarantine attribute.

Microsoft said

WizardUpdate Attack Flow:

In the latest variant of WizardUpdate, the WizardUpdate malware’s developers have included evasion features that can recover its track through deleting the created files, folders and, other artifacts created on infected Mac devices.

The attack flow followed by the WizardUpdate malware has the following steps.

Attack flow of WizardUpdate malware

Malware on the Mac worse than iOS

Adload is one of the second-stage payloads on compromised Macs delivered by WizardUpdate. It inserts advertisements into the web pages and snatches search engine results through Man-in-The-Middle (MiTM) web proxy for monetary gain.

It provides persistence by involving LaunchAgents and LaunchDaemons. In most cases, user cronjobs are scheduled to run every two and a half hours.

While observing Adload campaigns being activated since November 2020, when WizardUpdate was also first marked, SentinelOne firm threat researcher Phil Stokes discovered hundreds of samples, 150 unique and undetected by Apple’s built-in antivirus.

Most of the samples detected by Phil Stokes were signed and assigned with Apple-issued Developer ID certificates, while others were evidenced to run under default Gatekeepers settings.

Even though both WizardUpdate and Adload deploy adware and bundleware as secondary payloads. They can at any time shift to more threatening malware like wipers or ransomware.

Today, we have a level of malware on the Mac that we don’t find acceptable, which is even worse than iOS.

Craig Federighi said

How to remove WizardUpdate browser hijacker

For removing WizardUpdate, follow these steps

  1. Removing malicious profiles from Mac

A profile can configure a Mac to do different things. They are used by IT admins for controlling their behaviors of Mac in their businesses. For home users, adware and browser hijacker configuration profiles prevent users from removing malicious programs from the computer. This prevents the user from changing behavior in browser settings.

  1. Removing WizardUpdate from Mac

We will try to identify and then remove any malicious apps and files that might be installed on your computer through this step.

  1. Use Malwarebytes for Removing WizardUpdate from Mac

You have to scan your computer with Malwarebytes for Mac to find, identify and then remove any malicious program that might be available on your computer. Malwarebytes is an on-demand scanner for destroying many types of malware that other software finds difficult to delete.

  1. Removing WizardUpdate from Safari, Chrome, or Firefox:

After following all the above steps, if you still find an issue with the WizardUpdate adware browser extension, you should reset your browser to its previous default configuration.

Conclusion

Through unsafe free downloads, PUP and adware get inside the PC. It is recommended that you should only use legitimate websites while downloading any free applications.

Choose custom or advanced processes so that you can trace additional PUPs listed for installation along with the main program.

Such measures should be taken to keep your computer systems safe and secure from malware.

Tags: 
News
Author
Ozair Malik
A passionate Cyber Security researcher and writer with a keen interest in Digital Forensics. A community worker running a insta blog to raise cybersecurity awareness among laymen.

Leave a comment

click to select