Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Microsoft tracking increasingly sophisticated Mac trojan that delivers adware

Microsoft's security team has detailed a relatively new piece of Mac malware that has evolved significantly to offer attackers an "increasing progression of sophisticated capabilities."

The malware family, dubbed UpdateAgent by the Microsoft 365 Defender Threat Intelligence Team, first surfaced in September 2020. Since then, it has gradually progressed from a simple information extractor to a more dangerous piece of malware that can deliver other payloads.

UpdateAgent, which is actively in development by malware authors, can infect user Macs through vectors like drive-by downloads or pop-up ads. It often presents itself like a legitimate piece of software, such as a video app or a support agent.

Some of the trojan's more nefarious elements include capabilities like bypassing Apple's Gatekeeper security control or using existing permissions to delete evidence of its existence on a Mac. Back in August, it was updated with a new ability to inject persistent code that can run as root in an invisible background process.

Additionally, the malware uses public cloud infrastructure like Amazon S3 or CloudFront to deliver second-stage payloads in the form of .dmg or .zip files.

These tactics can allow it covertly carry out malicious activities, like delivering adware or other payloads. While it's currently used to deliver an "unusually persistent" adware called Adload, Microsoft says attackers could leverage UpdateAgent to deliver more potentially dangerous attacks down the road.

"UpdateAgent is uniquely characterized by its gradual upgrading of persistence techniques, a key feature that indicates this trojan will likely continue to use more sophisticated techniques in future campaigns," Microsoft said of the malware.

Although UpdateAgent was first discovered by Microsoft in October 2021, it has been in the wild since at least late 2020. Later versions of UpdateAgent display "much more refined behavior compared with earlier versions," which could suggest that future updates could be on the horizon.

What's at risk, and how to protect yourself

Microsoft did not disclose if there were any specific versions of macOS vulnerable to the malware. Because it is still being actively developed, it's better to assume that your Mac is vulnerable to the malware than not.

UpdateAgent has one key weakness compared to other Mac threats: it requires the user to explicitly download a malicious file.

Because of that, it's recommended that you only get apps directly from trusted developers and services like the Mac App Store. Avoid clicking on links in advertisements and don't download anything from a pop-up on a website.



24 Comments

rob53 13 Years · 3313 comments

Interesting article considering Congress is trying to force side-loading. Here’s the ringer—

“Because of that, it's recommended that you only get apps directly from trusted developers and services like the Mac App Store. Avoid clicking on links in advertisements and don't download anything from a pop-up on a website.”

This is why many of us don’t want side-loading. Why is Congress trying to open up iOS instead of allowing Apple to try to make it as secure as possible?

stevenoz 16 Years · 317 comments

I personally only use the App Store... but if it should happen to someone... would Malwarebytes Anti-Malware software be able to fix the problem?

rob53 13 Years · 3313 comments

stevenoz said:
I personally only use the App Store... but if it should happen to someone... would Malwarebytes Anti-Malware software be able to fix the problem?

Hopefully detect and block it before it does damage but not sure if it’s on their list. 

lkrupp 19 Years · 10521 comments

Magic word is ‘trojan”. Stupid people click on this shit and then march over to the Apple Discussion Forums demanding Apple fix it... RIGHT NOW!

I still get the “You need to update to the latest version fo Flash Player to view this content" once in a while. And the dumb asses of the world go right ahead and click.

lkrupp 19 Years · 10521 comments

Does this article mean to imply that Apple is unaware of this and is not tracking it? Seems so. Only Microsoft cares about Apple users, not Apple?