The threat actors responsible for the macOS malware loader ReaderUpdate have been busy creating new versions of the malware using various programming languages, including Crystal, Nim, Rust, and Go. According to a report from SentinelOne, these new versions have been emerging since mid-2024, with newer domains associated with the Crystal, Nim, and Rust variants.
Initially detected in 2020 as a compiled Python binary, ReaderUpdate was known for communicating with a command-and-control server at www[.]entryway[.]world and deploying the Genieo adware as its payload. Despite the shift to different programming languages for newer variants, the payload has remained consistent.
SentinelOne has highlighted that the distribution of these newer variants has been observed through existing infections of older versions of ReaderUpdate. The malware has been spread through free and third-party software download sites, often packaged within malicious installers disguised as utility applications. It’s important to note that all observed variants exclusively target the x86 Intel architecture.
An analysis of the Go variant of ReaderUpdate has unveiled its capability to collect hardware information upon execution, creating a unique identifier sent to the command-and-control server. Moreover, the malware can parse and execute responses from the C&C, potentially allowing threat actors to issue commands remotely.
While current infections of ReaderUpdate have only been linked to adware, SentinelOne warns that the loader has the potential to deliver more malicious payloads in the future. This versatility could turn it into a platform for offering Pay-Per-Install or Malware-as-a-Service to other threat actors.
The cybersecurity firm has identified nine samples of ReaderUpdate written in Go, each connecting to seven unique C&C domains. Despite being less prevalent than the Nim, Crystal, and Rust variants, the Go variant poses a significant threat due to its remote command execution capabilities.
In a related development, recent attacks targeting macOS users have combined scareware with phishing tactics, showcasing the evolving landscape of threats facing Apple’s operating system. Additionally, the emergence of new malware like FrigidStealer and improvements to existing threats like XCSSET highlight the importance of staying vigilant against cyber threats.
As macOS users navigate the evolving threat landscape, it is crucial to practice caution when downloading software from unverified sources and to keep security software up to date. By remaining informed and proactive, users can better protect themselves against emerging malware threats like ReaderUpdate and its various iterations.
For more information on this developing story, visit the original post URL: https://www.securityweek.com/macos-users-warned-of-new-versions-of-readerupdate-malware/.