UpdateAgent is Back with a Vengeance

Analysts at Microsoft Security Intelligence have discovered a new variant of UpdateAgent, also known as WizardUpdate. This malware targets Mac devices by impersonating legitimate MacOS software. UpdateAgent has been in use since 2020, but the latest version has improvements that make it significantly more effective.

Researchers originally discovered UpdateAgent in November 2020. However, the latest variant has new features such as advanced evasion and persistence tactics that make this malware more difficult to detect and remove from the host system. Another new feature of UpdateAgent is the ability to host additional payloads by exploiting public cloud infrastructure. For example, UpdateAgent installs adware called Adload, which collects system information and sends it to a C2 server that offers controlled access protection. The latest version of UpdateAgent also firmly embeds itself in the host system, making it more difficult to remove.


One of UpdateAgent’s most significant improvements is the ability to bypass Gatekeeper by removing the quarantine attribute from its own file. Gatekeeper is the core component of MacOS security, which verifies downloaded applications and enforces code signatures for those applications before it will allow Macbooks to execute them. However, UpdateAgent can prevent Gatekeeper from performing these functions, just like OSX/Dok, an earlier malware with many similar features. One of these includes imitating known banking websites to fool users into enter their credentials into a fake login page, thinking that it’s the bank’s login page.


Hackers use various methods to trick users into downloading files infected with UpdateAgent, usually through spam emails. Once this malware is installed on the host system, it disables multiple security protocols to avoid detection and redirects traffic from Apple’s servers to the host. It then creates a The Onion Router (TOR) connection to ensure anonymity and connects to a command-and-control center. UpdateAgent’s next step is to read the host’s IP address, which it uses to customize its attack strategy.

For example, it can identify banks with branches in the user’s geographic vicinity and present the user with false websites of those banks. The malware then prompts users to enter their credentials into the fake website and download a well-known message app called Signal. This app is legitimate, but it requires users to provide their phone numbers for the purpose of SMS authentication.

Additional methods of infection that UpdateAgent uses include creating folders on the host with existing user permissions. It also uses PlistBuddy to create and modify Plists in LaunchAgent and LaunchDeamon to increase its persistence on the host. UpdateAgent then covers its tracks by removing incriminating files and folders.


UpdateAgent malware also impersonates legitimate software, although Microsoft hasn’t yet disclosed the specific software that it can imitate. However, the new variant of this malware appears to distribute itself primarily through drive-by downloads. This technique involves users unintentionally downloading malicious code, generally because they think it’s something else. For example, malware that uses a drive-by download often poses as a game modification because users who need this type of software are less likely to question suspicious circumstances or behavior.


MacOS software usually requires a licensing fee to use, so impersonating software is an effective method of luring Mac users into downloading malware. As a result, it’s especially important not to download software from third parties if you have a Mac computer.

There are also a variety of methods to avoid inadvertently downloading UpdateAgent and similar malware. These include turning auto-download and Java off if you have a Safari browser. You should also set GateKeeper to prevent downloads of apps without digital signatures. Update Mac OSX regularly, especially security patches. It’s also essential to install Anti-Virus software and keep its virus signature list current. Additional measures for protecting your Mac system include disabling automatic and remote logins.


Chrome malware notification flickr photo by Christiaan Colen shared under a Creative Commons (BY-SA) license