How to detect UpdateAgent Mac malware

Earlier this month, Microsoft published research about the evolution of UpdateAgent Mac malware. Media outlets picked up the story, with many of them describing the changes to UpdateAgent in rather dramatic terms: “sophisticated”, “menacing”, and “more dangerous”. In this article, we’ll tell you about the malware and the risk that it poses, and we’ll show you how to detect UpdateAgent on a Mac.

What is UpdateAgent?

UpdateAgent is a macOS Trojan that was discovered in late 2020. It’s also known as WizardUpdate or as Silver Toucan (our own MacScan 3 detects it as WizardUpdate). 

As Microsoft’s blog post explains, UpdateAgent “is likely distributed via drive-by downloads or advertisement pop-ups, which impersonate legitimate software”. 

What does UpdateAgent do?

UpdateAgent’s capabilities have changed over time.

Initially, the malware just collected information about an infected Mac and sent it back to a command and control (C&C) server. As Microsoft puts it, at this stage UpdateAgent was nothing more than “a fairly basic information-stealer”.

However, UpdateAgent soon acquired the ability to fetch and install secondary payloads on a compromised machine. In other words, if UpdateAgent is already running on a Mac, bad actors can use it to infect that Mac with other types of malware as well. Interestingly, UpdateAgent doesn’t retrieve these payloads from the attackers’ own infrastructure. It gets them from legitimate (though misused) public cloud repositories: Amazon S3 or Amazon CloudFront. 

Recent iterations of UpdateAgent have added further upgrades. Microsoft reports that as of October 2021, UpdateAgent can bypass Gatekeeper, establish persistence on an infected Mac, and execute system commands with elevated permissions. 

How dangerous is UpdateAgent?

All of that sounds pretty bad, but how “dangerous” is UpdateAgent, really? Well, as with so many things, the devil is in the details. 

On the one hand, it’s true that UpdateAgent can be used to install additional malware on a Mac. But if you look at what’s actually being installed, it isn’t sophisticated macOS spyware or some APT threat. It’s adware. In particular, it’s Adload adware, which Microsoft’s research team accurately describes as an “evasive” and “unusually persistent” adware family.

This isn’t to imply that adware is just a harmless nuisance. It’s not, and we’ve noted the dangers of macOS adware before. And again, UpdateAgent (and Adload, for that matter) can install arbitrary payloads on a Mac. If they wanted to, the bad guys behind UpdateAgent could use it to install something much more serious than adware. But for now, they don’t seem to be doing that. 

At the moment, then, UpdateAgent is best classified as an adware dropper, albeit one with the potential to become something more insidious in the future. So while you shouldn’t ignore the threat, there’s no reason for alarm. 

How to avoid an UpdateAgent infection

We’ll talk about detection in a moment, but before that, let’s look at how to avoid an UpdateAgent infection in the first place!

Remember, UpdateAgent is a Trojan. This means users download the malware thinking that it’s legitimate software. You can avoid this type of infection by following a few simple best practices:

1. Download from safe sources

   Don’t download software from unknown or untrusted sources. On a Mac, only download software from the Mac App Store or directly from the app developer’s own website. Third-party app distribution platforms are not inherently malicious, but they’re not as safe (and are unnecessary).

2. Don’t steal software

   Don’t use pirated or “cracked” versions of paid software. Yes, it’s tempting. No, it’s not safe … at all. If money is an issue, look for a reputable open-source software alternative instead. You can often find the exact functionality you’re looking for from an open-source app.

3. Avoid shady websites

   Stay away from websites and forums that traffic in pirated software or illegal content. These disreputable sites are notorious sources of malware links, and of pop-ups that will try to trick you into downloading malware. And remember, it’s 2022: If anyone tells you that you need to install Adobe Flash, don’t believe them!

4. Stay updated

   Keep your Mac up to date. Set up automatic updates for macOS and for the apps running on your system. Keep in mind that UpdateAgent is under active development. If a major Mac vulnerability is discovered, the malware’s authors may try to exploit it in a new UpdateAgent campaign. Your best defense is to make sure that everything is up to date.

5. Don’t click through

   Pay attention to system dialogs. If your Mac warns you that something you’re trying to run has a code-signing issue, or can’t be checked for malware, don’t run it. Be aware that malware authors will sometimes provide “helpful” instructions for bypassing your Mac’s normal restrictions against running unverified apps. This is nothing more than a social engineering trick: don’t fall for it!

How to detect UpdateAgent on a Mac

Worried that your Mac has an UpdateAgent infection? Here are several ways to check:

Look for IOCs

Indicators of compromise (IOCs) are the telltale signs that a cyberattack has occurred. They often take the form of file names or apps found in specific locations on an infected system. Malware researcher Phil Stokes has compiled a helpful list of the primary IOCs for UpdateAgent:

/Library/Application Support/Helper/HelperModule
/Library/Application Support/WebVideoPlayer/WebVideoPlayerAgent
/Library/Application Support/McSnip/McSnipAgent
~/Library/Application Support/Quest/QuestBarStatusAgent
~/Library/Application Support/SubVideoTube/SubVideoTubeStatusAgent

Look for signs of an adware infection

Because UpdateAgent installs adware, another way to detect an UpdateAgent infection is to look for common signs of adware: 

• A significant uptick in advertisements and pop-ups
• Ads appearing in strange places on webpages
• Frequently visited websites displaying incorrectly or oddly
• Changes to your web browser startup page or to your default search engine
• Web search results that redirect you to a website that you didn’t want to visit

Run a full system scan

UpdateAgent — and other macOS adware that it may have installed — can be tricky to detect, and difficult to remove completely.

If you suspect an infection, the best thing to do is run a full system scan with a reputable, Mac-focused malware detection and removal tool. The trial version MacScan 3 will detect UpdateAgent Mac malware along with any other macOS adware and malware present on your system. (Note that MacScan detects UpdateAgent under the name WizardAgent.)