New ReaderUpdate Malware Variants Target macOS Users
Discover the latest developments in the ReaderUpdate malware, now targeting macOS users with variants written in Crystal, Nim, Rust, and Go. Learn about the threat and how to stay protected.
TL;DR
New variants of the ReaderUpdate malware, written in Crystal, Nim, Rust, and Go, are targeting macOS users. The malware, which has been active since 2020, is now more sophisticated and persistent, posing a significant threat to macOS security
New ReaderUpdate Malware Variants Target macOS Users
Security researchers at SentinelOne have identified new variants of the ReaderUpdate malware targeting macOS users. These variants are written in multiple programming languages, including Crystal, Nim, Rust, and Go, making them more challenging to detect and analyze.
Background on ReaderUpdate Malware
ReaderUpdate is a well-known macOS malware loader that has been active since 2020. Initially detected as a compiled Python binary, it was primarily used to deliver Genieo adware. The malware remained largely undetected until late 2024 when new variants written in Crystal, Nim, and Rust emerged.
New Variants and Their Characteristics
The latest variants of ReaderUpdate are distributed through older infections and third-party downloads, often disguised as trojanized apps like “DragonDrop.” All versions are Intel x86-only and require Rosetta 2 on Apple Silicon. The recent reports have analyzed the Crystal, Nim, and Rust versions, while the Go variant is now being documented for the first time.
Key Features of the Go Variant
- System Information Collection: The Go variant collects system hardware information to generate unique victim IDs.
- Persistence: It hides in the
~/Library/Application Support/
directory and maintains persistence via a.plist
file. - Command and Control (C2): The malware executes remote C2 commands, suggesting it might be used for Pay-Per-Install (PPI) or Malware-as-a-Service (MaaS) schemes.
Obfuscation Techniques
The malware employs string and URL obfuscation to evade analysis. According to the report:
“Throughout the binary, the developers obfuscate many of the strings, including the C2 URL and the property list content, using functions that either assemble characters on the stack or run some simple character substitution algorithm.”
Distribution and Prevalence
While the Nim, Crystal, and Rust variants are more widespread, the Go version is rarer, with only nine samples observed. These samples are linked to seven domains tied to broader malware infrastructure.
Implications and Future Threats
ReaderUpdate represents a widespread campaign utilizing binaries written in various source languages, each presenting unique detection and analysis challenges. The malware has quietly infected victims through old infections, remaining largely unnoticed due to its dormant nature or delivery of adware.
However, compromised hosts remain vulnerable to any payload the operators choose to deliver, whether their own or sold as Pay-Per-Install or Malware-as-a-Service on underground markets.
Conclusion
The emergence of new ReaderUpdate malware variants underscores the evolving threat landscape for macOS users. Staying informed and implementing robust security measures is crucial to mitigate these risks.
For further insights, check:
Follow me on:
For more details, visit the full article: source
Additional Resources
For further insights, check: