Malware

Mysterious Mac malware iWebUpdate discovered; is 5 years old

Posted on by

A mysterious Mac malware sample dubbed iWebUpdate was discovered on Valentine’s Day. One of the strangest things about it is that, although just identified as malware, it had apparently been infecting Macs for approximately the past four and a half years, since August or September 2018.

Let’s examine what we know about this malware, and how to safely remove it from infected systems.

In this article:

How was iWebUpdate discovered?

Patrick Wardle, an independent Mac security researcher, sought to find new evidence to support his personal theory that “there is likely far more (Mac) malware out there than we’re seeing.” In a blog post that he published in the early morning hours of Valentine’s Day, Wardle said that he had just discovered and analyzed a malware sample consistent with that theory. Wardle says that it took him less than ten minutes of browsing VirusTotal to find it, in spite of its 0% detection rate.

VirusTotal is a site where anyone can upload potentially infected files to get the opinions of about 60 different antivirus engines about whether those files may be malicious. Malware researchers can then look for possible malware samples by filtering the list of uploaded files for criteria of interest.

Based on data available on VirusTotal, the iWebUpdate file that Wardle analyzed had been uploaded three times, originally from an unknown country on September 23, 2018. It is unclear whether this first uploader was an actually infected user, or whether the malware author uploaded the sample from a test system to verify whether it was detected by any antivirus engines (a fairly common practice). The file was subsequently re-uploaded twice: apparently from Romania on November 7, 2019, and apparently from the United States on February 10, 2023. The recency of the latter upload helped bring it to Wardle’s attention.

But what’s more interesting than how many times it was actually uploaded is how often the file seems to have been submitted (without re-uploading) and re-analyzed (that is, re-scanned by antivirus engines). It appears that several people over the years had attempted to upload it, were told that VirusTotal already had an identical copy of the file, and then asked VirusTotal to have antivirus engines re-scan it with the latest definitions. VirusTotal’s records list 17 different file paths (including the first upload) that indicate possible real-world infections, and the file was scanned about 20 times between its initial upload and Wardle’s discovery. The numbers of re-scans dropped off precipitously after April 2021, after which it was only scanned once in 2022.

This seems to suggest a fairly widespread distribution of the file from late 2018 to early 2021. Keep in mind that most of these encounters were presumably from users digging through their own Macs’ file systems looking for potentially suspicious files and then uploading them to VirusTotal—something that the average Mac user would never do.

What does iWebUpdate do to an infected computer?

The iWebUpdate malware appears to be a first-stage infection, a way to gain an initial foothold in an infected Mac. It establishes persistence, meaning that it installs itself in such a way that it will automatically load in the background again whenever an infected Mac restarts.

After identifying the infected Mac’s operating system and (attempting to identify) the Mac model on which it’s running, it then attempts to check in with a remote server with a similar name, iwebservicescloud[.]com. From there, it attempts to download an additional payload. As the server appears to no longer host the same command and control system that was in place when the malware was first distributed, it is difficult to determine what the second-stage payload’s capabilities might have been.

Who created iWebUpdate malware?

Due to a variety of factors, including code and server reuse, it can often be difficult to determine with certainty whether a known threat actor was involved with the development or distribution of a particular piece of malware.

Wardle noted something interesting about one past IP address to which iwebservicescloud[.]com resolved during a portion of the time the malware seems to have been active. That IP address, 185.181.104[.]82, appears in a CISA report about Mac malware from the Lazarus Group, and more specifically Operation AppleJeus, as an IP address to which celasllc[.]com once resolved. This does not definitively prove a connection with the same threat actor, but it remains a possible answer as to iWebUpdate’s origin.

Interestingly, VirusTotal also indicates that a certain malware sample seems to have been an “execution parent” of the iWebUpdate malware. According to VirusTotal’s sandbox analysis, this malware (which most vendors identify as OSX/Genieo, and is also known as OSX.FairyTale) drops a file named iWebUpdate in the exact location as this iWebUpdate file was found, and the malware was active around the same time.

What else is noteworthy about the iWebUpdate malware?

Given that the malware was designed in 2018, which pre-dates Apple’s announcement of ARM-based Apple silicon processors, the malware’s code is designed to run on Intel processors. However, given that many Macs today often have the Rosetta 2 Intel emulation framework installed, the malware would likely be able to run successfully on many M1- or M2-based Macs.

Unlike much of the Mac malware we see today, iWebUpdate was not signed by an Apple-issued developer certificate. Because this malware was created before 2019, it pre-dates Apple’s software notarization process, so it isn’t notarized, either. (Notarization was a weak attempt at reducing the amount of malware on the Mac; we’ve seen plenty of Apple-notarized Mac malware.)

As noted above, iWebUpdate attempts to identify the Mac model on which it’s running; our language was intentional. We note that the shell code that iWebUpdate uses to determine the Mac model on which it’s running contains a bug. Although in some cases the code will correctly identify the host Mac, it will fail to make an accurate identification if the Mac was initially set up by transferring data from a previous Mac. Instead, iWebUpdate will mistakenly identify the host Mac as the original Mac model. The malware uses the code:

echo $(defaults read ~/Library/Preferences/com.apple.SystemProfiler.plist 'CPU Names') | cut -d'"' -f4

A correct way to determine the current host Mac would be:

echo $(defaults read ~/Library/Preferences/com.apple.SystemProfiler.plist 'CPU Names' | cut -sd '"' -f 4 | tail -n 1)

It’s also interesting to note that iWeb was the name of Web page development software that Apple offered as part of its iLife suite from 2006 to 2011. The iWebUpdate malware file names and domain may be an attempt to disguise itself as legitimate Apple software.

How can one remove iWebUpdate and other Mac malware?

Intego X9 software boxes

Intego VirusBarrier X9, included with Intego’s Mac Premium Bundle X9, can protect against, detect, and eliminate Mac malware. Intego software detects this threat under the names OSX/iWebUpdate, OSX/iWebUpdate.ext, and OSX/Dldr.Agent.zbqnj.

If you believe your Mac may be infected, or to prevent future infections, it’s best to use antivirus software from a trusted Mac developer. VirusBarrier is award-winning antivirus software, designed by Mac security experts, that includes real-time protection. It runs natively on a wide range of Mac hardware and operating systems, including the latest Apple silicon Macs running macOS Ventura.

If you use a Windows PC, Intego Antivirus for Windows can keep your computer protected from PC malware.

Note: Intego customers running VirusBarrier X8, X7, or X6 on older versions of Mac OS X are also protected from this threat. It is best to upgrade to the latest versions of VirusBarrier and macOS, if possible, to ensure your Mac gets all the latest security updates from Apple.

iWebUpdate indicators of compromise (IoCs)

Three file paths are associated with the iWebUpdate malware:

~/Library/Services/iWebUpdate
~/Library/LaunchAgents/iwebupdate.plist
/tmp/iwup.tmp

Possibly related malware, which installs an iWebUpdate file to the same path noted above, and attempts to phone home to a different file on the same server, may also use a similar folder path:

~/Library/Services/iWebService/
~/Library/LaunchAgents/iwebupdate.plist
/tmp/iwup.tmp

Note that the tilde (~) indicates a particular user’s home folder, for example /Users/admin.

The main sample, iWebUpdate, has a SHA-256 hash of 3e66e664b05b695b0b018d3539412e6643d036c6d1000e03b399986252bddbfb and is available for researchers to download on VirusTotal.

The possibly related malware—identified by most vendors as being part of the OSX/Genieo family, and also identified as OSX.FairyTale—has a hash of 4eaa4caea4ac543516ffc9954a901e8b8e8c623fcce48304ea74d7a74218683b and is also available for researchers to download on VirusTotal.

One command-and-control domain has been identified as having been associated with this malware circa 2018:

iwebservicescloud[.]com

The domain was originally registered in August 2018, and its registration appears to have lapsed after its original ownership. It currently appears that the domain was most recently registered in January 2021, so its current owner may not necessarily be the same party as the original domain owner. However, network administrators can still check recent logs to try to identify whether any computers on their network may have attempted to contact this domain, which could indicate a possible infection.

Is iWebUpdate known by any other names?

Other vendors’ names for threat components from this malware campaign may include variations of the following:

Backdoor ( 0040f3561 ), HEUR:Trojan-Downloader.OSX.Agent.gen, MacOS:Downloader-AX [Drp], Malware.OSX/Dldr.Agent.zbqnj, OSX.Trojan.Gen, OSX/Agent.X!tr.dldr, OSX/TrojanDownloader.Agent.X, Trojan:MacOS/Multiverze, Trojan.Downloader.OSX.Agent, Trojan.MAC.Generic.111537 (B), Trojan.MAC.Generic.D1B3B1, Trojan.OSX.Agent.4!c

How can I learn more?

For additional technical details about the iWebUpdate malware, including his reverse-engineering and analysis of how the binary functions, you can refer to Patrick Wardle’s write-up.

We discussed iWebUpdate on episode 279 of the Intego Mac Podcast:

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.

You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: Follow Intego on Twitter Follow Intego on Facebook Follow Intego on YouTube Follow Intego on Pinterest Follow Intego on LinkedIn Follow Intego on Instagram Follow the Intego Mac Podcast on Apple Podcasts

About Joshua Long

Joshua Long (@theJoshMeister), Intego's Chief Security Analyst, is a renowned security researcher and writer, and an award-winning public speaker. Josh has a master's degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple ID authentication vulnerability. Josh has conducted cybersecurity research for more than 25 years, which has often been featured by major news outlets worldwide. Look for more of Josh's articles at security.thejoshmeister.com and follow him on X/Twitter, LinkedIn, and Mastodon. View all posts by Joshua Long →