A sophisticated macOS malware loader known as “ReaderUpdate” has significantly evolved, now incorporating variants written in Nim and Rust programming languages. Active since at least 2020, this malware has largely evaded detection by many security vendors.
Evolution and Diversification
Initially distributed as a compiled Python binary, ReaderUpdate has expanded its arsenal to include implementations in Crystal, Nim, Rust, and most recently, Go. This diversification demonstrates the malware authors’ adaptability and technical prowess. The varying sizes of these compiled versions—Python at 5.6MB, Go at 4.5MB, Crystal at 1.2MB, Rust at 400KB, and Nim at 166KB—suggest experimentation with detection evasion techniques across different development platforms.
Distribution Methods
ReaderUpdate typically reaches victims through free or third-party software download sites. It is often disguised within package installers containing fake or trojanized utility applications, such as “DragonDrop.” Once installed, the malware establishes persistence and communicates with command and control (C2) servers to receive further instructions or deliver secondary payloads.
Infection Mechanism and Persistence
The infection sequence begins by collecting system hardware information using the native `system_profiler SPHardwareDataType` command. This data forms a unique identifier for the victim, which is later transmitted to C2 servers. The malware then verifies its execution location, creating a dedicated folder structure if needed:
– `~/Library/Application Support//`
– `~/Library/LaunchAgents/com..plist`
To maintain persistence, ReaderUpdate creates a LaunchAgent that executes the malware at login. The plist file follows a consistent pattern:
– `Label`
– `com.etc`
– `KeepAlive`
– `RunAtLoad`
– `Program`
– `/Users/[username]/Library/Application Support/etc/etc`
This setup enables the malware to maintain resilience against system reboots while positioning itself to receive further commands from its operators.
Infrastructure and Potential Threats
Analysis has revealed that the malware operators have established an extensive infrastructure spanning multiple domains, including `entryway[.]world`, `airconditionersontop[.]com`, and `streamingleaksnow[.]com`, among others. This infrastructure connects all variant types to a common operation.
To date, most infections have delivered Genieo (also known as DOLITTLE) adware. However, the platform’s modular architecture and loader capabilities make it particularly concerning, as it can easily pivot to delivering more dangerous payloads. The loader’s capability to execute arbitrary commands makes it a potential vector for Pay-Per-Install (PPI) or Malware-as-a-Service (MaaS) operations targeting macOS users.
Implications for macOS Security
The emergence and evolution of ReaderUpdate underscore the increasing sophistication of threats targeting macOS systems. The use of multiple programming languages and the establishment of a robust infrastructure indicate a well-resourced and adaptable adversary. This development highlights the need for continuous vigilance and the adoption of comprehensive security measures to protect against such evolving threats.
