Experts spotted a new variant of UpdateAgent macOS malware dropper written in Swift

Researchers spotted a new variant of the UpdateAgent macOS malware dropper that was employed in attacks in the wild.

Researchers from the Jamf Threat Labs team have uncovered a new variant of the UpdateAgent macOS malware dropper. The new version is written in Swift and relies on the AWS infrastructure to host its malicious payloads. 

The new variant of the malware supports common dropper features, including some minor system fingerprinting, endpoint registration, and persistence.

“The second stage download and execute the functionality of droppers, in general, represent a risky class of malware that support a number of second-stage attacks — from malware to spyware, to adware.” reads the analysis of the experts.

The experts noticed a surge in adware/malware distributed via the latest variant of the UpdateAgent macOS malware dropper, which was masquerading as PDFCreator. At the time of discovery, the binary had a zero rate detection in VirusTotal and at the time of this writing, the detection rate is 3 out of 60.

Upon executing the malware, it connects to a remote server and retrieves a bash script to be executed.

The bash script runs directly from the Swift dropper without being saved on the hard drive.

“The authors of the UpdateAgent malware remain vigilant in keeping it up to date. It is known for having a well-built backend that allows itself to be easily updated, and although we’ve only seen adware families dropped by it, security experts are concerned that there might be other malicious plans for the future with such a well-built infrastructure.” the researchers conclude.

The report also includes indicators of compromise for this threat.

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, UpdateAgent)

[adrotate banner=”5″]

[adrotate banner=”13″]