The UpdateAgent malware family first surfaced just over a year ago with rudimentary infection and data-theft capabilities. Researchers have spotted signs the malware is becoming a fully-powered spy toolkit. The latest campaign saw the malware installing the evasive and persistent Adload adware. Microsoft said the malware can theoretically be further leveraged to fetch other, potentially more dangerous payloads. The UpdateAgent Trojan has been observed bypassing Apple’s Gatekeeper security technology and leveraging existing user permissions to quietly perform malicious activities.
Microsoft published technical evidence to show UpdateAgent misusing public cloud infrastructure – Amazon S3 and CloudFront services – to host additional payloads. The Trojan is likely distributed via drive-by downloads or advertisement pop-ups that impersonate legitimate software applications.