The threat actors behind the macOS malware loader known as ReaderUpdate have built new versions of the threat using the Crystal, Nim, Rust, and Go programming languages, SentinelOne reports.
Initially observed in 2020, when it was distributed as a compiled Python binary, the malware has been communicating with a command-and-control (C&C) server at www[.]entryway[.]world, and was seen deploying a payload identified as the Genieo (aka Dolittle and MaxOfferDeal) adware.
Since mid-2024, newer domains were associated with the Crystal, Nim, and Rust variants of ReaderUpdate, but the payload has not been changed, SentinelOne says. The Go variant the cybersecurity firm recently identified follows the same pattern.
“Including the original compiled Python version, ReaderUpdate is currently distributed in five variants compiled from five different source languages. We observed distribution of the newer variants through existing infections of the older ReaderUpdate,” SentinelOne notes.
The malware has been distributed via free and third-party software download sites, including through malicious package installers containing fake or trojanized utility applications. All observed variants only target the x86 Intel architecture.
Analysis of the Go variant of ReaderUpdate has revealed that, upon execution, the malware would first collect information on the system’s hardware, which is then used to create a unique identifier and sent to the C&C.
Additionally, it has revealed that the threat can parse and execute responses received from the C&C, which suggests that it could be used to execute any commands that its operator sends.
“While to date ReaderUpdate infections have only been associated with known adware, the loader has the capability to change the payload to something more malicious. This is consistent with a loader platform that might be used to offer other threat actors Pay-Per-Install (PPI) or Malware-as-a-Service (MaaS),” SentinelOne says.
To date, the cybersecurity firm has identified nine ReaderUpdate samples written in Go, which reach out to seven C&C domains. This shows that this variant is not as common as the Nim, Crystal and Rust variants, which have hundreds of samples in the wild.
Related: Scareware Combined With Phishing in Attacks Targeting macOS Users
Related: New FrigidStealer macOS Malware Distributed as Fake Browser Update
Related: Microsoft Warns of Improved XCSSET macOS Malware
Related: Homebrew macOS Users Targeted With Information Stealer Malware
