The Hacker News reports that the UpdateAgent macOS malware has been updated with new functionalities since evolving as a malware dropper.
The novel UpdateAgent malware dropper variant has been observed by Jamf Threat Labs researchers to impersonate the "PDFCreator" and "ActiveDirectory" Mach-O binaries, which create a remote server connection and facilitate bash script retrieval upon execution.
"The primary difference [between the two executables] is that it reaches out to a different URL from which it should load a bash script," said researchers.
The report also noted the inclusion of Amazon S3 bucket-directing URLs within the "activedirec.sh" or "bash_qolveevgclr.sh" bash scripts to enable second-stage disk image file downloads and execution in a compromised endpoint.
"Perhaps one of the most identifiable features of the malware is that it relies on the AWS infrastructure to host its various payloads and perform its infection status updates to the server. The continued development of this malware shows that its authors continue to remain active, trying to reach as many users as possible," researchers added.