Since its emergence in September 2020, the Mac trojan UpdateAgent has evolved from a basic information stealer to become a second-stage payload distributor observed in various attacks last year, now also capable of hosting its payloads in the public cloud, The Hacker News
reports, citing researchers from the Microsoft 365 Defender Threat Intelligence Team.
UpdateAgent has been found to install persistent Adload adware and is being spread through pop-up advertisements spoofing video apps, support agents, and other legitimate software.
Researchers also discovered numerous improvements to the UpdateAgent malware include the ability exploit CloudFront and Amazon S3 for hosting second-stage payloads in .dmg or .zip file formats, including the Adload malware.
The enhanced UpdateAgent is now also capable of exploiting current user permissions to not only permit malicious activities but also evade Gatekeeper controls in macOS.
"UpdateAgent is uniquely characterized by its gradual upgrading of persistence techniques, a key feature that indicates this trojan will likely continue to use more sophisticated techniques in future campaigns," the researchers said.