Authors: Jaron Bradley, Stuart Ashenbrenner and Matt Benyo
Dropper and Initial Instructions
The newly discovered Swift-based dropper exhibits many of the characteristics of typical dropper malware, including some minor system fingerprinting, endpoint registration and persistence. The second stage download and execute the functionality of droppers, in general, represent a risky class of malware that support a number of second-stage attacks — from malware to spyware, to adware.
In this case, Jamf Threat Labs was tipped by an increase in adware/malware threat preventions that appeared to be a part of the same family. Additionally, each instance was traced to an executable named PDFCreator. This executable was unsigned and running from the “/Library/Application Support” directory. Upon further inspection, the executable was determined to be written in Swift, containing suspiciously obfuscated (base64) strings.
At the time of discovery, this binary had zero hits from antivirus vendors in VirusTotal.
When executed, this binary is responsible for reaching out to a registration server and setting up persistence on the system on which it runs.
When this executable runs, the following command is run to gather the machine hardware id in order to use it as a unique identifier moving forward.
The executable then uses the following curl command to reach out to a server to register the device and acquire a bash script to be executed.
The execution of this bash script is the mach-O executable’s primary task. After pulling it from the URL, it runs directly from the Swift dropper without hitting the hard drive. During our analysis, the script contents were uploaded to VirusTotal and can be seen here.
Based on the results we are seeing, we suspect this bash script is likely built dynamically as machines are registered. This script performs a large number of actions. Below are just some of the interesting variables that are used which we’ve labeled with comments.
Additionally, another variable titled “URL” was set. However, it was obvious that at the time of investigation the link meant to provide this URL value was currently down or unattainable as the $URL variable was set to a “File not found” type error.
However, other samples of this malicious script can be found on VT that appear to have URLs pointing to AWS S3 buckets. AWS has been made aware of the specifics.
When the URL variable is accurately set by the server, it gets used to download a stage-2 disk image (DMG) to the endpoint. Below, we’ve again commented on the code to describe what's happening.
In cases where the $URL is active, the downloaded DMG contained an application. The application file name held within the DMG appears to have been created by combining a few random words together. This application is then copied to the /tmp directory. A handful of the ones we’ve seen are as follows:
The path to the newly created application is then stored within the $TMPFILE variable created earlier.
One interesting trick that this malware uses is that it modifies the /etc/sudoers file with the following command:
This command makes it so that the basic user can execute the script ($TMPFILE) as root without requiring a password. This modification to the sudoers file is only possible if UpdateAgent is already running as root.
The malware then creates a user-level LaunchAgent by running a series of PlistBuddy commands. Here’s an example of a resulting launch agent:
Both the editing of the sudoers file and the creation of persistence using the PlistBuddy command align with past workflows done by UpdateAgent according to previous findings from Microsoft.
When this plist loads at runtime, it will execute the temporary application. Even though it runs as a user LaunchAgent it is able to escalate to root without a password due to the previously mentioned modification made to the /etc/sudoers file.
After the LaunchAgent is loaded, the malicious bash script sleeps for a short period of time and then performs cleanup by unmounting the DMG file and removing the changes it made to the sudoers file.
In many circumstances, we see yet another plist and binary combination being dropped by PDFCreator called“ActiveDirectory”.
Once again, in the VirusTotal screenshot above, this binary is seen as clean.
After close examination, we noted that this executable is almost identical to the PDFCreator executable. The primary difference is that it reaches out to a different URL from which it should load a bash script.
In the cases that we observed, this downloaded bash script would send a simple check-in event to the cloud. If the contents of this URL change, the victim computer can perform any given instructions when it checks in next.
The authors of the UpdateAgent malware remain vigilant in keeping it up to date. It is known for having a well-built backend that allows itself to be easily updated, and although we’ve only seen adware families dropped by it, security experts are concerned that there might be other malicious plans for the future with such a well-built infrastructure.
Jamf Protect users are covered against the known, existing families of this malware, including various different detection surrounding suspicious behaviors and potentially unwanted applications, thanks to the frequently updated behavioral analytics.
Threat actors and malware authors are savvy to updating their toolsets to continue compromising endpoints.
So, why not rely on a solution, like Jamf Protect, that is consistently updated and has the strength of the Jamf Threat Labs behind it to prevent the latest threats?
Have market trends, Apple updates and Jamf news delivered directly to your inbox.