UpdateAgent is a Trojan threat targeting Mac devices. This piece of threatening software first emerged back in September 2020 and possessed the capabilities of a relatively simple infostealer. However, since then, the cybercriminals behind the threat have been developing it continuously, by adding more and more advanced malware capabilities. The latest UpdateAgent variants have turned into sophisticated Trojans with far more focused and refined behavior.
Details about the UpdateAgent threat were revealed to the public in a report by the Microsoft 365 Defender Threat Intelligence Team. The experts have been following the evolution of the threat and the multiple harmful campaigns it has been part of. According to their findings, UpdateAgent is still under active development and may continue to be equipped with additional malicious functionalities.
Distribution and Capabilities
UpdateAgent is most likely being spread via drive-by downloads or deceptive advertisement pop-ups, claiming to be for legitimate software products, such as video applications or support agents but, in reality, delivering the Trojan threat. Impersonating real products or being bundled alongside legitimate software increases the chances of UpddateAgent infiltrating the user's Mac system.
Once deployed on the device, UpdateAgent begins harvesting various data types and transmitting them to its Command-and-Control (C2, C&C) server. Apart from the infostealer activities, the more recent versions of the threat can leverage the already existing user permissions to perform intrusive actions before deleting any remaining evidence and covering its tracks stealthily. One of the most sophisticated features added to the Trojan is the ability to bypass the security protocols of Gatekeeper, the built-in macOS feature tasked with enforcing code signing and verifying downloaded apps to stop potential malware threats.
In an attack campaign that took place in October 2021, infosec researchers observed UpdateAgent fetching and deploying a second-stage payload to the infected systems. The Trojan dropped a variant belonging to the nasty AdLoad adware family. While AdLoad is mostly tasked with injecting unwanted advertisements and displaying them to users, cybercriminals can utilize UpdateAgent to drop other, far more threatening payloads, such as ransomware. It should be noted that the second-stage payloads deployed by UpdateAgent were hosted on public cloud infrastructures provided by Amazon S3 and CloudFront. After Microsoft shared their findings with Amazon Web Services, the unsafe URLs were taken down.