Since the middle of last year, operators of the ReaderUpdate macOS malware loader have developed a new Go-based variant following the emergence of Crystal-, Nim-, and Rust-based iterations, SecurityWeek reports.
Attackers leveraged malicious package installers with trojanized apps from third-party software download websites to facilitate the distribution of ReaderUpdate, according to an analysis from SentinelOne.
All variants of ReaderUpdate have been spreading the Genieo adware, also known as Dolittle or MaxOfferDeal, through different domains since its initial discovery five years ago, SentinelOne said.
Despite similarities in infection patterns since 2020, ReaderUpdate's Go variant obtained system hardware details later used to establish a unique identifier delivered to the command-and-control server, as well as featured C2 response parsing and execution capabilities.
"While ReaderUpdate infections have only been associated with known adware, the loader can change the payload to something more malicious. This is consistent with a loader platform that might be used to offer other threat actors Pay-Per-Install (PPI) or Malware-as-a-Service (MaaS)," said SentinelOne researchers.
You can skip this ad in 5 seconds