WizardUpdate Mac malware adds new evasion tactics


Level 37
Thread author
Top poster
Feb 4, 2016
Microsoft says it found new variants of macOS malware known as WizardUpdate (also tracked as UpdateAgent or Vigram), updated to use new evasion and persistence tactics.

As Microsoft security experts found, the latest variant — spotted earlier this month — is likely being distributed via drive-by downloads and it impersonates legitimate software, just as it was when threat intelligence firm Confiant discovered it camouflaged as Flash installers in January.

Since the first variants were observed in November 2020, when it was only capable of collecting and exfiltrating system info, WizardUpdate was updated multiple times by its developers.
The sample collected by Microsoft researchers in October comes with several upgrades, including the ability to:


Level 59
Top poster
Content Creator
Apr 24, 2016
From that article:
Malware on the Mac "worse than iOS"
AdLoad, one of the second-stage payloads delivered by WizardUpdate on compromised Macs, also hijacks search engine results and injects advertisements into web pages for monetary gain using a Man-in-The-Middle (MiTM) web proxy

It also gains persistence by adding LaunchAgents and LaunchDaemons and, in some cases, user cronjobs scheduled to run every two and a half hours.

While monitoring AdLoad campaigns active since November 2020, when WizardUpdate was also first spotted, SentinelOne threat researcher Phil Stokes found hundreds of samples, roughly 150 of them unique and undetected by Apple's built-in antivirus.

Many of the samples detected by Stokes were also signed with valid Apple-issued Developer ID certificates, while others were notarized to run under default Gatekeeper settings.

Although both WizardUpdate and AdLoad now only deploy adware and bundleware as secondary payloads, they can switch at any time to more dangerous malware such as wipers or ransomware.

"Today, we have a level of malware on the Mac that we don't find acceptable and that is much worse than iOS," said Craig Federighi, Apple's head of software, in May 2021 under oath while testifying in the Epic Games vs. Apple trial.