Full Report
A widespread campaign with binaries written in different source languages, ReaderUpdate contains unique challenges for detection and analysis.
Analysis Summary
# Tool/Technique: ReaderUpdate
## Overview
ReaderUpdate is a macOS malware loader platform that has been active since at least 2020. It has recently seen a resurgence ("Reforged") with variants compiled in modern programming languages like Crystal, Nim, Rust, and Go, in addition to the original compiled Python version. Its primary function is to deliver subsequent payloads, notably bundling Genieo (aka DOLITTLE) adware.
## Technical Details
- Type: Malware family (Loader Platform)
- Platform: macOS (x86 Intel architecture, requires Rosetta 2 for execution on Apple Silicon)
- Capabilities: Executes subsequent stages, maintains persistence, communicates with C2 infrastructure.
- First Seen: 2020 (Original Python variant)
## MITRE ATT&CK Mapping
Since the report details the infection chain and persistence mechanisms, common mappings for malware loaders are relevant:
- **TA0001 - Initial Access** (Potential, if delivered via trojanized apps)
- Needs further context on initial delivery method for precise mapping (Trojanized apps imply T1588.002 or T1078.004 if downloaded directly).
- **TA0003 - Persistence**
- **T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder** (Using LaunchAgents on macOS)
## Functionality
### Core Capabilities
- **Multi-Language Compilation:** Distributed in five variants compiled from Python, Go, Crystal, Rust, and Nim.
- **Payload Delivery:** Downloads and executes a secondary payload, identified as Genieo (aka DOLITTLE, MaxOfferDeal) adware.
- **Persistence Mechanism:** Drops a LaunchAgent file (e.g., `com.readerupdate.plist`) in the user's `~/Library/LaunchAgents/` folder to execute on user login. Can utilize `/private/var/root/` locations if running with elevated privileges.
- **File Placement:** Original malware is often found in `~/Library/Application Support/ReaderUpdate/ReaderUpdate`. Newer variants are seen in locations like `~/Library/Application Support/printers/printers`.
### Advanced Features
- **Obfuscation:** The original Python version uses Python runtime embedded within the binary and obfuscates scripts with `pyarmor`.
- **Temporary File Execution:** Utilizes `/usr/bin/mktemp` to create temporary files (e.g., in `/tmp/`) for downloading and executing the subsequent payload.
- **Evasion:** The Go variant suggests continued evolution and evasion of detection tools.
## Indicators of Compromise
- File Hashes:
- Compiled Python (Original): `fe9ca39a8c3261a4a81d3da55c02ef3ee2b8863f`
- Go Variant: `36ecc371e0ef7ae46f25c137aa0498dfd4ff70b3`
- Crystal Variant: `86431ce246b54ec3372f08c7739cd1719715b824`
- Rust Variant: `01e762ef8a10bbcda639ed62ef93b784268d925a`
- Nim Variant: `21a2ec703a68382b23ce9ff03ff62dae07374222`
- File Names:
- Initial malware (Python): `ReaderUpdate`
- Delivered secondary payload: `V6QED2Q1WBYVOPE`
- Registry Keys: N/A (macOS native persistence mechanism used)
- Network Indicators:
- C2 Domain (Historical/Observed): `www[.]entryway[.]world`
- C2 Domain (Observed in arguments): `limitedavailability-show[.]com`
- Behavioral Indicators:
- Dropping persistence agent `com.readerupdate.plist` in user LaunchAgents folder.
- Execution commanding use of `sh -c chmod +x` followed by execution of downloaded payloads.
- Use of `curl` commands to fetch data from the C2 domain.
## Associated Threat Actors
- The activity cluster responsible for the Crystal, Nim, Rust, and Go variants is the same cluster responsible for previously reported ReaderUpdate infections. (The attribution is implied to be related to known adware distributors, given the final payload is Genieo/DOLITTLE).
## Detection Methods
- Signature-based detection: Use provided SHA-1 hashes to detect malware binaries.
- Behavioral detection: Monitor for the creation of LaunchAgents in user libraries pointing to suspicious executables, or suspicious download/execution chains involving `/usr/bin/mktemp` and immediate execution of fetched files.
- YARA rules: Not explicitly provided in the text, but YARA could target unique strings or binary structures common across the different language variants.
## Mitigation Strategies
- Prevention measures: Exercise caution when downloading software from third-party or free software download sites, as this remains a common delivery vector (e.g., trojanized utility apps like "DragonDrop").
- Hardening recommendations: Ensure only trusted applications are installed. Regularly audit LaunchAgents for unauthorized entries. (Note: Malware runs on x86 architecture; Macs running Apple Silicon without Rosetta 2 installed might be inherently protected against these specific binaries).
## Related Tools/Techniques
- WizardUpdate (aka UpdateAgent, Silver Toucan) - Associated with some prior infections, though described as distinct.
- Genieo (aka DOLITTLE, MaxOfferDeal) - The adware payload frequently delivered by ReaderUpdate.
- DragonDrop (aka Drag-and-Drop, Drag-on Drop) - Example of a trojanized utility app used for initial distribution.