Prometheus ransomware
CyberDaily: Cybersecurity News

Microsoft revealed details of a Mac Trojan that was previously undocumented. Microsoft said the trojan underwent several changes ever since it first appeared in September 2020. The evolved trojan version has become advanced, as the article puts it, “increasing progression of sophisticated capabilities.”

Microsoft 365 Defender Threat Intelligence Team called the new malware family “UpdateAgent,” tracked its evolution from a barebones information stealer to a second-stage payload spreader observed during multiple attacks in 2021.

Also read,

“The latest campaign saw the malware installing the evasive and persistent Adload adware, but UpdateAgent’s ability to gain access to a device can theoretically be further leveraged to fetch other, potentially more dangerous payloads,” the researchers said.

The malware, said to be, spreads via drive-by downloads or advertisement pop-ups that conceal as legitimate software like video applications and support agents, even as the authors have incrementally improved the malware that has changed UpdateAgent into a permanent piece of malware.

The major improvements are the ability to exploit existing user permissions to secretly perform malicious activities and avoid macOS Gatekeeper controls. The Gatekeeper controls ensure that only trusted applications created by identified developers can be installed on a system.

Further, UpfateAgent exploits public cloud infrastructure, namely Amazon S3 and CloudFront services. The UpdateAgent carries its second-stage payloads, including adware, in the form of .DMg or .ZIP files.

The Adload malware, once installed, uses ad injection software and man-in-the-middle (MiTM) techniques to seize and reroute users’ internet traffic through the attacker’s servers. The rerouting to plant rogue ads into web pages and search engine results increase the infection rate across multiple devices. 

“UpdateAgent is uniquely characterized by its gradual upgrading of persistence techniques, a key feature that indicates this trojan will likely continue to use more sophisticated techniques in future campaigns,” the researchers cautioned.