Researchers from Microsoft have reported the discovery of a new variant of macOS malware called WizardUpdate.

The new version should worry all Mac users because it has been upgraded to incorporate enhanced evasion and persistence tactics that will make it more difficult to track, locate and ultimately stop.

WizardUpdate is also known as UpdateAgent and it is based on code that is distributed via download repositories. That is where it masquerades as a legitimate software. Although the researchers found no direct indication of how this new variant is distributed it follows that the group behind the code would use similar if not outright identical techniques.

WizardUpdate has had a short but interesting history. It was first discovered in November 2020. In its earliest incarnation the code could do little more than collecting and exfiltrating basic system information. That proved to be but a simple test. Since its initial release WizardUpdate has seen numerous upgrades.

The latest build includes the following capabilities:

  • To grant admin permissions to regular users
  • To leverage existing user profiles to execute commands
  • To modify PLIST files using PlistBuddy
  • To bypass Gatekeeper by removing quarantine attributes from downloaded payloads
  • To grab the full download history for infected Macs by enumerating LSQuarantineDataURL String using SQLite
  • And to deploy secondary payloads downloaded from cloud infrastructure

What does this mean for you:

Be careful about what you download! Be sure your system is being patched and getting proper maintenance. And be sure you're using tools like VPNs, DNS filters, and other tools that filter and scan your internet traffic. And as always this doesn't mean you should install the latest major OS updates right away, just the security patches and adware and Malare updates. If you aren't sure get an IT professional to help you. You get help with your car when it breaks down... why not your Tech?

Microsoft had this to say about the newly discovered strain:

"UpdateAgent abuses public cloud infrastructure to host additional payloads and attempts to bypass Gatekeeper, which is designed to ensure that only trusted apps run on Mac devices, by removing the downloaded file's quarantine attribute."

"It also leverages existing user permissions to create folders on the affected device. It uses PlistBuddy to create and modify Plists in LaunchAgent/ LaunchDeamon for persistence."

WizardUpdate by any name is a scarily capable malware strain and Mac users should be on high alert.



Would you like to be a Power User? Sign up for "The Fix" our Mac Tips and Tricks newsletter here.
If you have any questions you can reach The MacGuys+ at 763-331-6227 or schedule an on-site visit here
  Mac IT for the Minneapolis, St. Paul, Twin Cities Metro, and Western WI Area! Nation Wide, Co-Managed, Work Anyplace Mac IT Support.


Used with permission from Article Aggregator