{"id":106089,"date":"2022-02-02T09:00:00","date_gmt":"2022-02-02T17:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=106089"},"modified":"2023-06-26T15:56:32","modified_gmt":"2023-06-26T22:56:32","slug":"the-evolution-of-a-mac-trojan-updateagents-progression","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/02\/02\/the-evolution-of-a-mac-trojan-updateagents-progression\/","title":{"rendered":"The evolution of a Mac trojan: UpdateAgent\u2019s progression"},"content":{"rendered":"\n

Our discovery and analysis of a sophisticated Mac trojan in October exposed a year-long evolution of a malware family\u2014and depicts the rising complexity of threats across platforms. The trojan, tracked as UpdateAgent, started as a relatively basic information-stealer but was observed distributing secondary payloads in the latest campaign, a capability that it added in one of its multiple iterations. Reminiscent of the progression of info-stealing trojans in other platforms, UpdateAgent may similarly become a vector for other threats to infiltrate target systems.<\/p>\n\n\n\n

Since its first appearance in September 2020, the malware displayed an increasing progression of sophisticated capabilities, and while the latest two variants were sporting much more refined behavior compared with earlier versions, they show signs that the malware is still in the development stage and more updates are likely to come. The latest campaign saw the malware installing the evasive and persistent Adload adware, but UpdateAgent\u2019s ability to gain access to a device can theoretically be further leveraged to fetch other, potentially more dangerous payloads.<\/p>\n\n\n\n

UpdateAgent lures its victims by impersonating legitimate software and can leverage Mac device functionalities to its benefit. One of the most advanced techniques found in UpdateAgent\u2019s latest toolbox is bypassing Gatekeeper controls, which are designed to ensure only trusted apps run on Mac devices. The trojan can leverage existing user permissions to quietly perform malicious activities before deleting the evidence to cover its tracks. UpdateAgent also misuses public cloud infrastructure, namely Amazon S3 and CloudFront services, to host its additional payloads. We shared our findings with the team at Amazon Web Services, and they have taken down the malicious URLs\u2013another example of how intelligence sharing and collaboration results in better security for the broader community.<\/p>\n\n\n\n

Threats like UpdateAgent are proof that, as environments continue to rely on a diverse range of devices and operating systems, organizations need security solutions that can provide protection across platforms and a complete picture of their security posture. Microsoft Defender for Endpoint<\/a> delivers and coordinates threat defense across all major OS platforms including Windows, macOS, Linux, Android and iOS. On macOS devices, Microsoft Defender for Endpoint detects and exposes threats and vulnerabilities through its antivirus, endpoint detection and response (EDR), and threat and vulnerability management capabilities.<\/p>\n\n\n\n

In this blog post, we share the evolving development of the UpdateAgent trojan targeting Mac users and detail the malware\u2019s recent campaign to compromise devices, steal sensitive information, and distribute adware as a secondary payload.<\/p>\n\n\n\n

Progression of UpdateAgent<\/h2>\n\n\n\n

UpdateAgent is uniquely characterized by its gradual upgrading of persistence techniques, a key feature that indicates this trojan will likely continue to use more sophisticated techniques in future campaigns. Like many information-stealers found on other platforms, the malware attempts to infiltrate macOS machines to steal data and it is associated with other types of malicious payloads, increasing the chances of multiple infections on a device.<\/p>\n\n\n\n

The trojan is likely distributed via drive-by downloads or advertisement pop-ups, which impersonate legitimate software such as video applications and support agents. This action of impersonating or bundling itself with legitimate software increases the likelihood that users are tricked into installing the malware. Once installed, UpdateAgent starts to collect system information that is then sent to its command-and-control (C2) server.<\/p>\n\n\n\n

Notably, the malware\u2019s developer has periodically updated the trojan over the last year to improve upon its initial functions and add new capabilities to the trojan\u2019s toolbox. The timeline below illustrates a series of techniques adopted by UpdateAgent from September 2020 through October 2021:<\/p>\n\n\n\n

\"A
Figure 1. Tracking the evolution of UpdateAgent<\/em><\/figcaption><\/figure>\n\n\n\n