Microsoft researchers have discovered WizardUpdate, a macOS-specific variant of malware.
Universal Mac/Apple users should be aware of the new version. This updated version features enhanced persistence and evasion strategies that make it harder to find, track down and stop.
WizardUpdate, also referred to as UpdateAgent, is built on code downloaded from download repositories. This is how it disguises itself as legitimate software. Researchers could not prove that the new version was distributed by the responsible organization, but it was evident that they used similar or identical methods.
While WizardUpdate's history is short, it has a rich one. It was discovered for the first time in late 2020. It was first used to gather basic information, then it was used for exfiltrating this information. This was trivial. WizardUpdate has been updated many times since its original release.
This latest build comes with these capabilities:
- Regular users require administrator permissions
- To use user profiles that already exist for executable commands
- PlistBuddy is used to update PKIST files
- You can get passed Gatekeeper by removing the quarantine attribute in downloaded payloads
- SQLite lets you download the entire history of infected Macs. You can do this by using SQLite to enumerate LSQuarantineDataURL strings
- Cloud infrastructure is used to deploy secondary payloads
Microsoft shared these words of wisdom about the newly discovered strain.
"UpdateAgent hosts additional payloads in public cloud infrastructure. Gatekeeper is used to ensure that only trusted apps are running on Macs. It's also attempted to bypass it. This is accomplished by removing the quarantine attribute of the downloaded file."
It can also use existing permissions for creating folders. PlistBuddy can be used to edit LaunchAgent/ LaunchDeamon Plists. This allows for persistence.
Mac users should be cautious about WizardUpdate
A new malware is affecting some Android users.
A new, very dangerous strain is targeting Android devices. AbstractEmu is not a joke. It will automatically root infected machines and give the malware control complete control. In an effort to avoid detection, it will modify its settings.
Cybersecurity researchers at Lookout Threat Labs discovered the new strain. It was found to be distributed via third-party repositories and the Google Play Store with legitimate utility applications.
Google removed the malware from its Play Store, but not before thousands had downloaded it. There are still a few third party repositories where the malware is available. Be extra cautious if you download more apps from third-party repositories that the Play Store.
The new strain was discovered by the team and they had these words to share:
"AbstractEmu doesn't have advanced zero-click remote exploit functionality. This is often used in advanced APT threats. It can be activated by opening the application. Most users will activate the malware as soon as they download it."
Rooting gives the threat actor privilege access to Android's operating system. They can grant them dangerous permissions to install malicious software and perform other tasks that normally require interaction from the user.
AbstractEmu's creators have a lot of experience in programming, so it shouldn't surprise. The threat group is still looking for new opportunities, despite the fact that the malware was removed from Google Play Store.
If you are like most businesses, you have a combination of Mac and Android devices used by your employees. Do you know if they are safe from outside attack? Is your network secure? Give Integrated Technology Systems a call if you have any doubts. Use the Book a Consultation form to the right to schedule a complete review of your systems.
