Microsoft has one of the best Mac security research facilities? 

Researchers from Microsoft have reported the discovery of a new variant of macOS malware called WizardUpdate. The new version should worry all Mac users because it has been upgraded to incorporate enhanced evasion and persistence tactics that will make it more difficult to track, locate and ultimately stop.

WizardUpdate is also known as UpdateAgent and it is based on code that is distributed via download repositories. That is where it masquerades as a legitimate software. Although the researchers found no direct indication of how this new variant is distributed it follows that the group behind the code would use similar if not outright identical techniques.

WizardUpdate has had a short but interesting history. It was first discovered in November 2020. In its earliest incarnation the code could do little more than collecting and exfiltrating basic system information. That proved to be but a simple test. Since its initial release WizardUpdate has seen numerous upgrades.

 

The latest build includes the following capabilities

  • To grant admin permissions to regular users
  • To leverage existing user profiles to execute commands
  • To modify PLIST files using PlistBuddy
  • To bypass Gatekeeper by removing quarantine attributes from downloaded payloads
  • To grab the full download history for infected Macs by enumerating LSQuarantineDataURL String using SQLite
  • And to deploy secondary payloads downloaded from cloud infrastructure

 

Microsoft had this to say about the malware

"UpdateAgent abuses public cloud infrastructure to host additional payloads and attempts to bypass Gatekeeper, which is designed to ensure that only trusted apps run on Mac devices, by removing the downloaded file's quarantine attribute."

"It also leverages existing user permissions to create folders on the affected device. It uses PlistBuddy to create and modify Plists in LaunchAgent/ LaunchDeamon for persistence."

 

My perspective

WizardUpdate by any name is a scarily capable malware strain and Mac users should be on high alert.

 

Your security system should do a Batman and say:
"To the Batmobile!"

 


By Denis Wilson

Cybersecurity Expert, Small Business Technology Consultant, Managed Services Provider, Managed IT Support

Thanks for reading this short post. For more tips on thriving with small business technology, check out the other blog posts at DWPIA Blogs. You can also find me on LinkedIn, Facebook, and Twitter

I am also a published author and speaker on cloud computing, work@home, and cybersecurity. I work extensively with business and professional associations to provide free small business technology education programs.

 

Contact me if you would like me to speak to your association