Microsoft tracking increasingly sophisticated Mac trojan that delivers adware

Malware illustration

The malware family, dubbed UpdateAgent by the Microsoft 365 Defender Threat Intelligence Team, first surfaced in September 2020. Since then, it has gradually progressed from a simple information extractor to a more dangerous piece of malware that can deliver other payloads.

UpdateAgent, which is actively in development by malware authors, can infect user Macs through vectors like drive-by downloads or pop-up ads. It often presents itself like a legitimate piece of software, such as a video app or a support agent.

Some of the trojan's more nefarious elements include capabilities like bypassing Apple's Gatekeeper security control or using existing permissions to delete evidence of its existence on a Mac. Back in August, it was updated with a new ability to inject persistent code that can run as root in an invisible background process.

Additionally, the malware uses public cloud infrastructure like Amazon S3 or CloudFront to deliver second-stage payloads in the form of .dmg or .zip files.

These tactics can allow it covertly carry out malicious activities, like delivering adware or other payloads. While it's currently used to deliver an "unusually persistent" adware called Adload, Microsoft says attackers could leverage UpdateAgent to deliver more potentially dangerous attacks down the road.

"UpdateAgent is uniquely characterized by its gradual upgrading of persistence techniques, a key feature that indicates this trojan will likely continue to use more sophisticated techniques in future campaigns," Microsoft said of the malware.

Although UpdateAgent was first discovered by Microsoft in October 2021, it has been in the wild since at least late 2020. Later versions of UpdateAgent display "much more refined behavior compared with earlier versions," which could suggest that future updates could be on the horizon.

What's at risk, and how to protect yourself

Microsoft did not disclose if there were any specific versions of macOS vulnerable to the malware. Because it is still being actively developed, it's better to assume that your Mac is vulnerable to the malware than not.

UpdateAgent has one key weakness compared to other Mac threats: it requires the user to explicitly download a malicious file.

Because of that, it's recommended that you only get apps directly from trusted developers and services like the Mac App Store. Avoid clicking on links in advertisements and don't download anything from a pop-up on a website.