The team in charge of searching, recognizing, and investigating threats at Microsoft has found an undocumented Trojan that attacks and infects Mac computers called UpdateAgent. The most interesting thing, and what worries the team at the Windows company, is its ability to progress since its first appearance in September 2020. This article will show the most important details of it.

Read: CISA is concerned about an actively exploited Windows vulnerability

The Microsoft 365 Defender team found the “UpdateAgent”

Microsoft has a team dedicated to finding, identifying, investigating, and reporting on the various threats that arise for the different operating systems and devices out there. This team is called the Microsoft 365 Defender Threat Intelligence Team, which this time found this Trojan that has not been documented but has shown to have undergone several iterations, which allows it to be constantly changing.

The evolution of this “UpdateAgent,” as it was called by the 365 Defender team, has gone from a barebones information stealer to a second-stage payload distributor as part of multiple attack waves that happened in 2021. “The latest campaign saw the malware installing the evasive and persistent Adload adware, but UpdateAgent’s ability to gain access to a device can theoretically be further leveraged to fetch other, potentially more dangerous payloads,” was part of the state that the team released.

This malware, which is in constant active development, is distributed via simple secondary downloads or pop-up ads that pose as legitimate software when, in fact, they are just a cover to infect devices. The authors of this malware have not been identified, but their progressive and constant improvements must be recognized.

Characteristics of “UpdateAgent” malware

One of its main features is that it manages to abuse the permissions of existing users, thus surreptitious activities can be carried out, and the Gatekeeper controls that Mac systems have can be eluded. These controls are responsible for allowing installations of third-party applications that are trusted by certified developers.

It was also discovered that this agent takes advantage of cloud services such as Amazon S3 and CloudFront to host its adware in DMG or .ZIP formats. When Adload is installed, it begins to use ad injection and man-in-the-middle techniques to redirect web traffic past the attacker’s servers, thereby inserting fake ads on websites and search engine results to infect different computers.

In this way, it is shown that although simple, UpdateAgent is a malware to be aware of, since its ability to constantly improve and update makes it a malware to be feared, since it may present greater capabilities in the future. Keep in touch with our blog to read the latest news and innovations in the cybersecurity world.

Facebook: Eagle Tech Corp

Instagram: @eagletech_corp

Twitter: @eagletechcorp

LinkedIn: Eagle Tech

YouTube: Eagle Tech Corp