Blog

This Mac Malware Should Have Users Worried

Nov 5, 2021 | Blog

Researchers from Microsoft have reported the discovery of a new variant of macOS malware called WizardUpdate.

The new version should worry all Mac users because it has been upgraded to incorporate enhanced evasion and persistence tactics that will make it more difficult to track, locate and ultimately stop.

WizardUpdate is also known as UpdateAgent and it is based on code that is distributed via download repositories. That is where it masquerades as a legitimate software. Although the researchers found no direct indication of how this new variant is distributed it follows that the group behind the code would use similar if not outright identical techniques.

WizardUpdate has had a short but interesting history. It was first discovered in November 2020. In its earliest incarnation the code could do little more than collecting and exfiltrating basic system information. That proved to be but a simple test. Since its initial release WizardUpdate has seen numerous upgrades.

The latest build includes the following capabilities:

  • To grant admin permissions to regular users
  • To leverage existing user profiles to execute commands
  • To modify PLIST files using PlistBuddy
  • To bypass Gatekeeper by removing quarantine attributes from downloaded payloads
  • To grab the full download history for infected Macs by enumerating LSQuarantineDataURL String using SQLite
  • And to deploy secondary payloads downloaded from cloud infrastructure

Microsoft had this to say about the newly discovered strain:

“UpdateAgent abuses public cloud infrastructure to host additional payloads and attempts to bypass Gatekeeper, which is designed to ensure that only trusted apps run on Mac devices, by removing the downloaded file’s quarantine attribute.”

“It also leverages existing user permissions to create folders on the affected device. It uses PlistBuddy¬†to create and modify Plists in LaunchAgent/ LaunchDeamon for persistence.”

WizardUpdate by any name is a scarily capable malware strain and Mac users should be on high alert.

FBI Program Tasked with Infrastructure Security Compromised

FBI Program Tasked with Infrastructure Security Compromised

The FBI program tasked with ensuring critical infrastructure security has been compromised by hackers, who now offer access to the program's data on the dark web. The breach was initially disclosed by Brian Krebs of Krebs on Security, who claims that the data was for...

Streamline Your Business with the Latest Smart Home Technology

Streamline Your Business with the Latest Smart Home Technology

Are you a business owner looking to get the most out of your Google smart home devices? If so, you're in luck! Google has enabled its Nest products and Android OS with the initial rollout of the Matter smart home standard. This means that businesses now have the...

Data Breach at Sequoia One Exposes Sensitive Customer Information

Data Breach at Sequoia One Exposes Sensitive Customer Information

What do you do when your most personal information has been compromised? This is likely the question that customers of Sequoia One asked themselves earlier this month as they were informed that the company had been hacked. Sequoia One specializes in the management of...

Cisco Reports Critical IP Phone Vulnerability

Cisco Reports Critical IP Phone Vulnerability

As a business owner, it's important to stay informed about potential vulnerabilities that could impact your organization. Recently, Cisco reported a critical vulnerability, tracked as CVE-2022-20968, affecting its IP Phone 7800 and 8800 Series. This new vulnerability...

Google Chrome Releases Two New Features

Google Chrome Releases Two New Features

Google Chrome is one of the more commonly used web browsers. Over the years, though, Chrome has gained a reputation for utilizing a large portion of a computer's memory. This can be a problem if you're running other resource-intensive tasks and don't want to slow...

Get a Free Consultation

 

Fill out the form below to receive a free consultation and learn how we can make your technology worry-free!

 

Contact Information

  • 39301 Badger Street, Suite 500
    Palm Desert, CA 9221
  • (760) 333-8523
  • info@icn.tech