Researchers from Microsoft have reported the discovery of a new variant of macOS malware called WizardUpdate.
The new version should worry all Mac users because it has been upgraded to incorporate enhanced evasion and persistence tactics that will make it more difficult to track, locate and ultimately stop.
WizardUpdate is also known as UpdateAgent and it is based on code that is distributed via download repositories. That is where it masquerades as a legitimate software. Although the researchers found no direct indication of how this new variant is distributed it follows that the group behind the code would use similar if not outright identical techniques.
WizardUpdate has had a short but interesting history. It was first discovered in November 2020. In its earliest incarnation the code could do little more than collecting and exfiltrating basic system information. That proved to be but a simple test. Since its initial release WizardUpdate has seen numerous upgrades.
The latest build includes the following capabilities:
- To grant admin permissions to regular users
- To leverage existing user profiles to execute commands
- To modify PLIST files using PlistBuddy
- To bypass Gatekeeper by removing quarantine attributes from downloaded payloads
- To grab the full download history for infected Macs by enumerating LSQuarantineDataURL String using SQLite
- And to deploy secondary payloads downloaded from cloud infrastructure
Microsoft had this to say about the newly discovered strain:
"UpdateAgent abuses public cloud infrastructure to host additional payloads and attempts to bypass Gatekeeper, which is designed to ensure that only trusted apps run on Mac devices, by removing the downloaded file's quarantine attribute."
"It also leverages existing user permissions to create folders on the affected device. It uses PlistBuddy to create and modify Plists in LaunchAgent/ LaunchDeamon for persistence."
WizardUpdate by any name is a scarily capable malware strain and Mac users should be on high alert.
________________________________________________________________________________________________________
STOP OVERPAYING for CABLE and Netflix!
TeQ I.Q. Service works on "Apple, Android, Roku, Amazon, Computers, and more"
"We Now have TeQ I.Q. VOD+(Video On Demand) The Best VOD Service!
"If you have Netflix or any other VOD Service you should switch to TeQ I.Q. VOD+ Service"
It is better than Netflix with 5 Connections and 4K and 3D included. Better than all other VOD services with Over 30,000 Movies, including New In Theatre Movies, Over 10,000 TV Series and growing. TeQ I.Q. VOD+ adds Movies and TV Series on Request.
Check out our TeQ I.Q. Services at https://www.teqiq.com/tv
We are giving a Free in Person TeQ Seminar at our office in La Mesa every Wednesday from 12pm-1pm and a Free TeQ Support Q&A from 1pm-2pm. Go to https://www.teqiq.com/events for our upcoming Events and https://www.teqiq.com/seminars for info on each Seminar.
For Free Consultation Call Now Robert Black at (619) 255-4180 or visit our website https://www.teqiq.com/
Chase Bank and Others Trust TeQ I.Q. with their IT and TeQnology so can you!
