New variant of AdLoad malware breaks through Apple’s XProtect defenses
A new variant of AdLoad malware sneaks into Apple’s YARA signature-based XProtect built-in antivirus technology to infect Macs in multiple campaigns tracked by security researchers at SentinelOne.
AdLoad has been a widespread Trojan that has been targeting the macOS platform since at least the end of 2017 and used to deploy various malicious payloads including adware and potentially unwanted applications (PUAs),
This malware can also harvest system information which is then sent to remote servers controlled by its operators.
More and more active since July
These ongoing attacks began as early as November 2020, according to researchers at SentinelOne, with increased activity starting in July and early August.
Once it infects a Mac, AdLoad installs a Man-in-The-Middle (MiTM) web proxy to hijack search engine results and inject ads into web pages for monetary gain.
It will also gain persistence on infected Macs by installing LaunchAgents and LaunchDaemons and in some cases user cron jobs that run every two and a half hours.
While monitoring this campaign, the researchers observed more than 220 samples, including 150 unique and undetected by Apple’s built-in antivirus, although XProtect now ships with around a dozen AdLoad signatures.
Many samples detected by SentinelOne are also signed with valid developer credentials issued by Apple, while others are also notarized to run under Gatekeeper’s default settings.
“At the time of writing, XProtect was last updated around June 15. None of the samples we found are known to XProtect because they do not match any of the scanner’s current Adload rule sets.” , SentinelOne concluded.
“The fact that hundreds of unique samples of a well-known adware variant have been circulating for at least 10 months and still go undetected by Apple’s built-in malware scanner, demonstrates the need to add checks additional security for Mac devices. “
Hard to ignore the threat
To put it in perspective, Shlayer, another common macOS malware strain that has also been able to bypass XProtect before and infect Macs with other malicious payloads, has affected more than 10% of all Apple computers monitored by Kaspersky.
Its creators also obtained their malware through Apple’s automated notarization process and included the ability to disable the Gatekeeper protection mechanism to run unsigned second-stage payloads.
Shlayer also recently exploited a macOS zero day to bypass Apple Quarantine, Gatekeeper, and Notarization security checks and download malicious second-stage payloads onto compromised Macs.
While AdLoad and Shlayer now only deploy adware and bundleware as secondary payloads, their creators can quickly switch to more dangerous malware, including ransomware or wipers, at any time.
“Today we have a level of malware on Mac that we do not find acceptable and which is much worse than iOS,” Craig Federighi, Apple’s software manager, said under oath during his testimony in the trial. Epic Games vs. Apple in May.