The Mac trojan can leverage existing user permissions to secretly perform malicious activities before deleting the evidence to cover its tracks.
“UpdateAgent also misuses public cloud infrastructure, namely Amazon S3 and CloudFront services, to host its additional payloads,” said Microsoft 365 Defender Threat Intelligence Team.
Amazon Web Services (AWS) has taken down the malicious URLs.
Since its first appearance in September 2020, the malware displayed an increasing progression of sophisticated capabilities.
“The latest campaign saw the malware installing the evasive and persistent Adload adware, but UpdateAgent’s ability to gain access to a device can theoretically be further leveraged to fetch other, potentially more dangerous payloads,” Microsoft said in a statement on Wednesday.
Once adware is installed, it uses ad injection software and techniques to intercept a device’s online communications and redirect users’ traffic through the adware operators’ servers, injecting advertisements and promotions into webpages and search results.
“It is capable of opening a backdoor to download and install other adware and payloads in addition to harvesting system information that is sent to the attackers’ C2 servers,”said Microsoft.
Considering both UpdateAgent and Adload have the ability to install additional payloads, attackers can leverage either or both of these vectors to potentially deliver more dangerous threats to target systems in future campaigns, it warned.