about Mysterious Mac malware iWebUpdate found; is 5 years previous will lid the most recent and most present suggestion a propos the world. achieve entry to slowly thus you perceive capably and appropriately. will accrual your information adroitly and reliably
Posted on February 24, 2023 by Joshua Lengthy
A mysterious Mac malware pattern known as iWebUpdate was found on Valentine’s Day. One of many strangest issues is that though it was solely recognized as malware, it had apparently been infecting Macs for in regards to the final 4 and a half years, way back to August or September of 2018.
Let’s check out what we learn about this malware and tips on how to safely take away it from contaminated programs.
On this article:
How was iWebUpdate found?
Patrick Wardle, an unbiased Mac safety researcher, sought to seek out new proof to assist his private concept that “there’s most likely much more (Mac) malware on the market than we’re seeing.” In a weblog publish he printed within the early morning hours of Valentine’s Day, Wardle stated that he had simply found and analyzed a malware pattern that he per that concept. Wardle says it took him lower than ten minutes to browse VirusTotal to seek out it, regardless of its 0% detection price.
VirusTotal is a website the place anybody can add probably contaminated information to get opinions from over 60 completely different antivirus engines on whether or not these information is perhaps malicious. Malware researchers can seek for potential malware samples by filtering the record of uploaded information by standards of curiosity.
In line with the info out there on VirusTotal, the iWebUpdate The file Wardle analyzed was uploaded 3 times, initially from an unknown nation on September 23, 2018. It’s unclear if this primary uploader was a genuinely contaminated consumer or if the malware creator uploaded the pattern from a take a look at system to confirm if it was detected by any antivirus engine (a reasonably widespread observe). The file was subsequently re-uploaded twice: apparently from Romania on November 7, 2019, and apparently from america on February 10, 2023. The recentness of the most recent add helped catch Wardle’s consideration.
However what’s extra fascinating than what number of instances it was truly uploaded is how usually the file seems to have been despatched (with out reuploading) and rescanned (ie rescanned by antivirus engines). Evidently a number of folks over time tried to add it, had been advised that VirusTotal already had an similar copy of the file, after which requested VirusTotal to have the antivirus engines scan it once more with the most recent definitions. VirusTotal logs record 17 completely different file paths (together with the primary add) that point out doable real-world infections, and the file was scanned about 20 instances between its preliminary add and Wardle’s discovery. The variety of rescans dropped dramatically after April 2021, after which it was solely scanned as soon as in 2022.
This appears to recommend a reasonably widespread distribution of the file from late 2018 to early 2021. Observe that the majority of those encounters had been presumably from customers looking their very own Mac’s file programs for probably suspicious information after which importing them to VirusTotal – One thing the common Mac consumer would by no means do.
What does iWebUpdate do to an contaminated laptop?
The iWebUpdate malware seems to be a first-stage an infection, a option to achieve an preliminary foothold on an contaminated Mac. It units persistence, which suggests it’s put in in such a means that it’s going to routinely load within the background every time an contaminated Mac is restarted.
After figuring out the working system of the contaminated Mac and (attempting to establish) the Mac mannequin it’s operating on, it makes an attempt to hook up with a distant server with an analogous title,
iwebservicescloud[.]com. From there, it tries to obtain a further payload. As it seems that the server not hosts the identical command and management system it did when the malware was first distributed, it’s tough to find out what the capabilities of the second stage payload may need been.
Who created the iWebUpdate malware?
Resulting from quite a lot of elements, together with code and server reuse, it could usually be tough to find out with certainty whether or not a recognized menace actor was concerned within the improvement or distribution of a specific piece of malware.
Wardle observed one thing fascinating about an IP tackle older than the one he
iwebservicescloud[.]com resolved throughout a portion of the time the malware seems to have been lively. That IP tackle,
185.181.104[.]82seems in a CISA report on Mac malware from the Lazarus Group, and extra particularly AppleJeus Operation, such as an IP address to which
celasllc[.]com once resolved. This does not definitively prove a connection to the same threat actor, but it is still a possible answer about the origin of iWebUpdate.
Interestingly, VirusTotal also indicates that a certain malware sample from the Genieo family appears to have been a “run parent” of the iWebUpdate malware.
What else is worth noting about iWebUpdate malware?
Since the malware was designed in 2018, which predates Apple’s announcement of ARM-based Apple silicon processors, the malware code is designed to run on Intel processors. However, since many Macs today often have the With the Rosetta 2 Intel emulation framework installed, the malware could probably run successfully on many M1 or M2-based Macs.
Unlike much of the Mac malware we see today, iWebUpdate was not signed by an Apple-issued developer certificate. Because this malware was created before 2019, it predates Apple’s software certification process, so it is also not certified. (The notarization was a weak attempt to reduce the amount of malware on the Mac; we’ve seen a lot of Apple-certified Mac malware.)
As noted above, iWebUpdate attempts to identify the Mac model it is running on; that language was intentional. We noticed that the shellcode that iWebUpdate uses to determine the Mac model it runs on contains an error. Although in some cases the code will correctly identify the host Mac, it will not be able to make an accurate identification if the Mac was initially set up by transferring data from a previous Mac. Instead, iWebUpdate will mistakenly identify the host Mac as the original Mac model. The malware uses the code:
echo $(defaults read ~/Library/Preferences/com.apple.SystemProfiler.plist 'CPU Names') | cut -d'"' -f4
A correct way to determine the current Mac host would be:
echo $(defaults read ~/Library/Preferences/com.apple.SystemProfiler.plist 'CPU Names' | cut -sd '"' -f 4 | tail -n 1)
It is also interesting to note that iWeb was the name of the web development software that Apple offered as part of its iLife package from 2006 to 2011. The malware file names and domain of iWebUpdate may be an attempt to disguise itself as software. legitimate from Apple.
How can iWebUpdate and other Mac malware be removed?
Intego VirusBarrier X9, included with Intego Premium Mac X9 Bundleit can protect, detect, and remove Mac malware. Intego software detects this threat under the names OSX/iWeb update, OSX/iWebUpdate.extand OSX/Dldr.Agent.zbqnj.
If you think your Mac may be infected, or to prevent future infections, it’s best to use antivirus software from a reputable Mac developer. VirusBarrier is award-winning antivirus software, designed by Mac security experts, that includes real-time protection. It runs natively on a wide range of Mac hardware and operating systems, including Apple’s latest Silicon Macs with macOS Ventura.
If you use a Windows PC, Intego Antivirus for Windows you can keep your computer protected from PC malware.
Note: Intego customers running VirusBarrier X8, X7, or X6 on earlier versions of Mac OS X are also protected from this threat. It’s best to update to the latest versions of VirusBarrier and macOS, if possible, to ensure your Mac receives the latest security updates from Apple..
iWebUpdate Indicators of Compromise (IoC)
Three file paths are associated with iWebUpdate malware:
~/Library/Services/iWebUpdate ~/Library/LaunchAgents/iwebupdate.plist /tmp/iwup.tmp
Note that the tilde (~) indicates the home folder of a particular user, for example
The main sample, iWebUpdate, has a SHA-256 hash of
3e66e664b05b695b0b018d3539412e6643d036c6d1000e03b399986252bddbfb and is available for researchers download at VirusTotal.
A command and control domain associated with this malware was identified around 2018:
The domain was originally registered in August 2018 and its registration appears to have expired after its original ownership. Currently, it appears that the domain was last registered in January 2021, so its current owner may not necessarily be the same party as the original domain owner. However, network administrators can still check recent logs to try to identify if any computers on your network may have tried to communicate with this domain, which could indicate a possible infection.
Is iWebUpdate known by any other names?
Third-party names for threat components of this malware campaign may include variations of the following:
Backdoor (0040f3561), HEUR:Trojan-Downloader.OSX.Agent.gen, MacOS:Downloader-AX [Drp]Malware.OSX/Dldr.Agent.zbqnj, OSX.Trojan.Gen, OSX/Agent.X!tr.dldr, OSX/TrojanDownloader.Agent.X, Trojan:MacOS/Multiverze, Trojan.Downloader.OSX.Agent, Trojan . MAC.Generic.111537 (B), Trojan.MAC.Generic.D1B3B1, Trojan.OSX.Agent.4!c
How can I learn more?
For additional technical details about the iWebUpdate malware, including its reverse engineering and analysis of how the binary works, you can refer to Patrick Wardle’s article.
We talked about iWebUpdate in episode 279 of the Intego Mac Podcast:
Every week in the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice for getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.
You can also subscribe to our electronic newsletter and keep an eye here on The Mac Security Blog for the latest security and privacy news from Apple. And don’t forget to follow Intego on your favorite social networks:
About Joshua Lengthy
joshua lengthy (@joshmeister), Intego’s Chief Safety Analyst, is a famend safety researcher, author, and public speaker. Josh has a Grasp’s diploma in IT with a focus in Web Safety and has taken PhD stage programs in Data Safety. Apple has publicly acknowledged Josh for locating an Apple ID authentication vulnerability. Josh has performed cybersecurity analysis for over 20 years, which has usually been featured in mainstream media around the globe. Search for extra articles from Josh at safety.thejoshmeister.com and observe him on Twitter. See all posts by Joshua Lengthy →
I hope the article nearly Mysterious Mac malware iWebUpdate found; is 5 years previous provides acuteness to you and is helpful for calculation to your information
Mysterious Mac malware iWebUpdate discovered; is 5 years old