In a recent development, cybersecurity experts have identified new variants of the ReaderUpdate malware targeting macOS users. These variants are written in diverse programming languages such as Crystal, Nim, Rust, and Go, posing a significant threat to users of Apple devices.

Emergence of New Malware Variants

Initially detected as a compiled Python binary in 2020, ReaderUpdate malware has evolved significantly. The malware was first known for distributing Genieo adware. However, it resurfaced in late 2024 with new versions crafted in Crystal, Nim, and Rust, making it more challenging to detect and analyze.

Technical Details of the Malware

SentinelOne researchers have identified five distinct variants of the ReaderUpdate malware, each compiled from different source languages. These include:

  • Compiled Python: 5.6Mb, SHA-1: fe9ca39a8c3261a4a81d3da55c02ef3ee2b8863f
  • Go: 4.5Mb, SHA-1: 36ecc371e0ef7ae46f25c137aa0498dfd4ff70b3
  • Crystal: 1.2Mb, SHA-1: 86431ce246b54ec3372f08c7739cd1719715b824
  • Rust: 400Kb, SHA-1: 01e762ef8a10bbcda639ed62ef93b784268d925a
  • Nim: 166Kb, SHA-1: 21a2ec703a68382b23ce9ff03ff62dae07374222

Distribution and Impact

The new ReaderUpdate variants are primarily distributed through older infections and third-party downloads, often via trojanized apps like "DragonDrop." These versions are Intel x86-only and require Rosetta 2 on Apple Silicon devices. Recent analyses have focused on the Crystal, Nim, and Rust versions, with the Go variant being documented for the first time.

Go Variant Analysis

The Go variant of ReaderUpdate collects system hardware information to create unique victim IDs and hides within the ~/Library/Application Support/ directory. It maintains persistence using a .plist file and executes remote C2 commands. This variant is believed to be part of a Pay-Per-Install (PPI) or Malware-as-a-Service (MaaS) offering.

Obfuscation Techniques

To evade detection, the malware employs string and URL obfuscation techniques. Developers have obfuscated many strings, including the C2 URL and property list content, using functions that assemble characters on the stack or apply simple character substitution algorithms.

The link has been copied!