Potential WizardUpdate Malware Infection
Detects the execution traces of the WizardUpdate malware. WizardUpdate is a macOS trojan that attempts to infiltrate macOS machines to steal data and it is associated with other types of malicious payloads, increasing the chances of multiple infections on a device.
Sigma rule (View on GitHub)
1title: Potential WizardUpdate Malware Infection
2id: f68c4a4f-19ef-4817-952c-50dce331f4b0
3status: test
4description: Detects the execution traces of the WizardUpdate malware. WizardUpdate is a macOS trojan that attempts to infiltrate macOS machines to steal data and it is associated with other types of malicious payloads, increasing the chances of multiple infections on a device.
5references:
6 - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-c68a1fcbf7a3f80c87225d7fdc031f691e9f3b6a14a36754be00762bfe6eae97
7 - https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset
8 - https://www.microsoft.com/security/blog/2022/02/02/the-evolution-of-a-mac-trojan-updateagents-progression/
9author: Tim Rauch (rule), Elastic (idea)
10date: 2022-10-17
11tags:
12 - attack.command-and-control
13logsource:
14 category: process_creation
15 product: macos
16detection:
17 selection_1:
18 Image|endswith: '/sh'
19 CommandLine|contains|all:
20 - '=$(curl '
21 - 'eval'
22 selection_2:
23 Image|endswith: '/curl'
24 CommandLine|contains: '_intermediate_agent_'
25 condition: 1 of selection_*
26falsepositives:
27 - Unknown
28level: high
References
-
Elastic Security detection content for Endpoint. Contribute to elastic/protections-artifacts development by creating an account on GitHub.
Read More -
Related rules
- ADSI-Cache File Creation By Uncommon Tool
- APT User Agent
- APT40 Dropbox Tool User Agent
- Activity from Anonymous IP Addresses
- Activity from Infrequent Country