Researchers from Microsoft have reported the discovery of a new variant of macOS malware called WizardUpdate.

The new version should worry all Mac users because it has been upgraded to incorporate enhanced evasion and persistence tactics that will make it more difficult to track, locate and ultimately stop.

WizardUpdate is also known as UpdateAgent and it is based on code that is distributed via download repositories. That is where it masquerades as a legitimate software. Although the researchers found no direct indication of how this new variant is distributed it follows that the group behind the code would use similar if not outright identical techniques.

WizardUpdate has had a short but interesting history. It was first discovered in November 2020. In its earliest incarnation the code could do little more than collecting and exfiltrating basic system information. That proved to be but a simple test. Since its initial release WizardUpdate has seen numerous upgrades.

The latest build includes the following capabilities:

  • To grant admin permissions to regular users
  • To leverage existing user profiles to execute commands
  • To modify PLIST files using PlistBuddy
  • To bypass Gatekeeper by removing quarantine attributes from downloaded payloads
  • To grab the full download history for infected Macs by enumerating LSQuarantineDataURL String using SQLite
  • And to deploy secondary payloads downloaded from cloud infrastructure

Microsoft had this to say about the newly discovered strain:

"UpdateAgent abuses public cloud infrastructure to host additional payloads and attempts to bypass Gatekeeper, which is designed to ensure that only trusted apps run on Mac devices, by removing the downloaded file's quarantine attribute."

"It also leverages existing user permissions to create folders on the affected device. It uses PlistBuddy to create and modify Plists in LaunchAgent/ LaunchDeamon for persistence."

WizardUpdate by any name is a scarily capable malware strain and Mac users should be on high alert.

Used with permission from Article Aggregator