A New AdLoad Malware Variant Could Go Unnoticed by Apple’s XProtect Defenses
The AdLoad Malware Variant is Apparently Slipping Through Apple’s YARA Signature-Based XProtect Built-in Antivirus Tech.
This new AdLoad malware strain is aiming to infect Macs as part of multiple campaigns.
AdLoad is a trojan that specifically targets only the macOS platform that is used to help deploy malicious payloads like adware and Potentially Unwanted Applications (PUAs) and is able to gather system information that will later be sent to the remote servers controlled by its operators.
Phil Stokes from SentinelOne watched closely the attacks and discovered that the massive scale and ongoing attacks that started in November 2020 increased from July this year.
How the AdLoad Malware Works?
Once it managed to infect a Mac the AdLoad malware will then install a Man-in-The-Middle (MiTM) web-proxy used to hijack search engine results and also inject advertisements into web pages for monetary gain.
It’s interesting that the malware will also gain persistence on the infected Macs by installing LaunchAgents and LaunchDaemons and, sometimes even use cronjobs able to run every two and a half hours.
When the user logs in, the AdLoad persistence agent will execute a binary hidden in the same user’s
~/Library/Application Support/folder. That binary follows another deterministic pattern, whereby the child folder in Application Support is prepended with a period and a random string of digits. Within that directory is another directory called
/Services/, which in turn contains a minimal application bundle having the same name as the LaunchAgent label. That barebones bundle contains an executable with the same name but without the
Phil Stokes analyzed more than 220 samples with 150 of them being unique and undetected by Apple’s built-in antivirus and discovered that many of the samples detected by SentinelOne were also signed with valid Apple-issued Developer ID certificates, while others were notarized to run under default Gatekeeper settings.
At the time of writing, XProtect was last updated around June 15th. None of the samples we found are known to XProtect since they do not match any of the scanner’s current set of Adload rules.
The fact that hundreds of unique samples of a well-known adware variant have been circulating for at least 10 months and yet still remain undetected by Apple’s built-in malware scanner demonstrates the necessity of adding further endpoint security controls to Mac devices.
To better understand the importance of this threat let’s remember Shlayer, another common macOS malware strain also able to bypass XProtect and infect Macs with other malicious payloads that recently exploited a macOS zero-day in order to bypass Apple’s File Quarantine, Gatekeeper, and Notarization security checks and download second-stage malicious payloads on compromised Macs.
Even if these specific malware strains are for now only deploying adware and bundleware as secondary payloads, their creators can, unfortunately, switch to deploying more dangerous malware at any given time.