New macOS Malware ‘ReaderUpdate’ Upgraded Arsenal With Nim and Rust Variants

A sophisticated macOS malware loader platform known as “ReaderUpdate” has significantly evolved its capabilities, with researchers identifying new variants written in Nim and Rust programming languages.

Despite being active since at least 2020, this threat has remained largely undetected by many security vendors.

Initially distributed as a compiled Python binary, ReaderUpdate has expanded its arsenal with implementations in Crystal, Nim, Rust, and most recently Go, showcasing the malware authors’ adaptability and technical sophistication.

The malware typically reaches victims through free or third-party software download sites, often disguised within package installers containing fake or trojanized utility applications like “DragonDrop.”

Once installed, ReaderUpdate establishes persistence and communicates with command and control (C2) servers to receive further instructions or deliver secondary payloads.

To date, most infections have delivered Genieo (aka DOLITTLE) adware, though the platform’s capabilities extend far beyond this relatively benign payload.

SentinelOne researchers noted that the malware’s modular architecture and loader capabilities make it particularly concerning, as it can easily pivot to delivering more dangerous payloads.

Analysis revealed that the malware operators have established an extensive infrastructure spanning multiple domains, including entryway[.]world, airconditionersontop[.]com, and streamingleaksnow[.]com, among others.

This infrastructure connects all variant types to a common operation.

The malware’s implementation across five different programming languages represents an unusual investment in diversification.

The compiled Python version weighs 5.6MB, while the Go variant is 4.5MB, Crystal is 1.2MB, Rust is 400KB, and Nim is the smallest at just 166KB. This variety suggests possible experimentation with detection evasion techniques across different development platforms.

Infection Mechanism and Persistence

ReaderUpdate’s infection sequence begins by collecting system hardware information using the native system_profiler SPHardwareDataType command. This data forms a unique identifier for the victim that is later transmitted to C2 servers.

The malware then verifies its execution location, creating a dedicated folder structure if needed:-

~/Library/Application Support//
~/Library/LaunchAgents/com..plist

For persistence, ReaderUpdate creates a LaunchAgent that executes the malware at login. The plist file follows a consistent pattern:-

Label
com.etc
KeepAlive

RunAtLoad

Program
/Users/[username]/Library/Application Support/etc/etc

This setup enables the malware to maintain resilience against system reboots while positioning itself to receive further commands from its operators.

The loader’s capability to execute arbitrary commands makes it a potential vector for Pay-Per-Install (PPI) or Malware-as-a-Service (MaaS) operations targeting macOS users.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free