A concerning evolution of the ReaderUpdate malware is actively targeting macOS systems with new variants written in multiple programming languages, according to security researchers at SentinelOne.
The malware, which has been operating since 2020, has expanded beyond its original Python-based version to now include variants written in Crystal, Nim, Rust, and Go programming languages. This diversification makes the threat more difficult to detect and analyze.
The malware spreads through existing infections and compromised third-party downloads, particularly via trojanized applications like "DragonDrop." All current versions are designed for Intel x86 systems and require Rosetta 2 to run on Apple Silicon machines.
SentinelOne's analysis reveals that the Go variant, which is the newest documented version, collects system hardware information to create unique victim IDs. It establishes persistence through a .plist file and hides itself in the Library/Application Support directory. The malware can execute remote commands and potentially serves as a platform for Pay-Per-Install (PPI) or Malware-as-a-Service (MaaS) operations.
The variants differ notably in size:
- Python variant: 5.6MB
- Go variant: 4.5MB
- Crystal variant: 1.2MB
- Rust variant: 400KB
- Nim variant: 166KB
While the Nim, Crystal, and Rust versions are commonly seen, the Go variant appears less frequently, with only nine samples discovered so far. These samples are connected to seven domains that are part of a larger malware infrastructure.
The malware employs sophisticated obfuscation techniques, including string manipulation and character substitution algorithms, to avoid detection. This makes analysis and identification more challenging for security tools.
Security experts warn that infected systems remain vulnerable to additional payloads that operators might choose to deliver, highlighting the ongoing risk to macOS users.