It uses PlistBuddy to create and modify Plists in LaunchAgent/ LaunchDeamon for persistence." "It also leverages existing user permissions to create folders on the affected device. "UpdateAgent abuses public cloud infrastructure to host additional payloads and attempts to bypass Gatekeeper, which is designed to ensure that only trusted apps run on Mac devices, by removing the downloaded file’s quarantine attribute," Microsoft said. The trojan will deploy second-stage malware payloads, including a malware variant tracked as Adload, active since late 2017 and known for being able to slip through Apple's YARA signature-based XProtect built-in antivirus to infect Macs.
change the sudoers list to give admin permissions to regular usersĪfter it infects a target's Mac, the malware starts scanning for and collecting system information that gets sent to its command-and-control (C2) server. leverage existing user profiles to execute commands. bypass Gatekeeper by removing quarantine attributes from downloaded payloads. #CUDA UPDATE MAC MALWARE FULL#
grab the full download history for infected Macs by enumerating LSQuarantineDataURLString using SQLite. 
deploy secondary payloads downloaded from cloud infrastructure. The sample collected by Microsoft researchers in October comes with several upgrades, including the ability to: Since the first variants were observed in November 2020, when it was only capable of collecting and exfiltrating system info, WizardUpdate was updated multiple times by its developers. Microsoft says it found new variants of macOS malware known as WizardUpdate (also tracked as UpdateAgent or Vigram), updated to use new evasion and persistence tactics.Īs Microsoft security experts found, the latest variant - spotted earlier this month - is likely being distributed via drive-by downloads and it impersonates legitimate software, just as it was when threat intelligence firm Confiant discovered it camouflaged as Flash installers in January.
0 kommentar(er)
