Potential WizardUpdate Malware Infection

Detects the execution traces of the WizardUpdate malware. WizardUpdate is a macOS trojan that attempts to infiltrate macOS machines to steal data and it is associated with other types of malicious payloads, increasing the chances of multiple infections on a device.

Sigma rule (View on GitHub)

 1title: Potential WizardUpdate Malware Infection
 2id: f68c4a4f-19ef-4817-952c-50dce331f4b0
 3status: test
 4description: Detects the execution traces of the WizardUpdate malware. WizardUpdate is a macOS trojan that attempts to infiltrate macOS machines to steal data and it is associated with other types of malicious payloads, increasing the chances of multiple infections on a device.
 5references:
 6    - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-c68a1fcbf7a3f80c87225d7fdc031f691e9f3b6a14a36754be00762bfe6eae97
 7    - https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset
 8    - https://www.microsoft.com/security/blog/2022/02/02/the-evolution-of-a-mac-trojan-updateagents-progression/
 9author: Tim Rauch (rule), Elastic (idea)
10date: 2022/10/17
11tags:
12    - attack.command_and_control
13logsource:
14    category: process_creation
15    product: macos
16detection:
17    selection_1:
18        Image|endswith: '/sh'
19        CommandLine|contains|all:
20            - '=$(curl '
21            - 'eval'
22    selection_2:
23        Image|endswith: '/curl'
24        CommandLine|contains: '_intermediate_agent_'
25    condition: 1 of selection_*
26falsepositives:
27    - Unknown
28level: high

References

Related rules

to-top