A wave of new AdLoad malware attacks involves more than 150 updated samples, many of which are undetectable by Apple’s security controls.
According to researchers, a recent wake of AdLoad malware infections affecting macOS devices is going unnoticed by Apple’s on-device malware scanner. The new malicious campaign uses approximately 150 unique samples, some of them even signed by Apple’s notarization service.
AdLoad is a trojan that opens a backdoor on the infected system that allows hackers to download and install adware and/or potentially unwanted programs (PUPs). It’s an already famous Apple threat that has been around for years now.
Among its most scary abilities are gathering and transmitting data regarding the infected machines, such as username and computer name, and even hijacking search engine results and forcing ads into web pages.
Apparently, attackers have tweaked their tactics lately, finding loopholes to evade built-in security.
“This year we have seen another iteration that continues to impact Mac users who rely solely on Apple’s built-in security control XProtect for malware detection,” Phil Stokes, researcher at SentinelOne’s SentinelLabs, said in a Wednesday post. “XProtect arguably has around 11 different signatures for AdLoad [but] the variant used in this new campaign is undetected by any of those rules.”
How AdLoad Malware Infects A Device
The latest AdLoad malware variants changed the way they infect devices, the researcher noted. The first step of their new approach is installing a persistence agent in the user’s Library LaunchAgents folder, using one of the following file extensions: .system or .service.
The malicious agent executes a file in the same user’s ~/Library/Application Support/folder when the user logs in. That folder contains another directory named /Services/, which itself contains a “minimal application bundle,” according to Stokes.
The bundle contains an executable dropper with the same name. Included in the Application Support folder, a hidden tracker called .logg contains a universally unique identifier (UUID) for each victim.
The researcher added that the droppers are more complex Zsh scripts and unpack a few times before actually executing the malware out of the /tmp directory. In addition, many of these droppers are signed or notarized.
“Typically, we observe that developer certificates used to sign the droppers are revoked by Apple within a matter of days (sometimes hours) of samples being observed on VirusTotal, offering some belated and temporary protection against further infections by those particular signed samples by means of Gatekeeper and OCSP signature checks,” Stokes said. “Also typically, we see new samples signed with fresh certificates appearing within a matter of hours and days. Truly, it is a game of whack-a-mole.”
In any case, “the final payload isn’t known to the current version of Apple’s XProtect, v2149,” he noted.
Apple XProtect Needs Some Improvement
Threat actors have been using the recent AdLoad malware samples in malicious campaigns since as early as November 2020. Still, the volume of attacks and samples began to swell massively, only starting with the last two months, according to SentinelLab.
“It certainly seems possible that the malware developers are taking advantage of the gap in XProtect…At the time of writing, XProtect was last updated to version 2149 around June 15 – 18,” Stokes said, also noting that AdLoad malware does have a high detection rate in VirusTotal. “The fact that hundreds of unique samples of a well-known adware variant have been circulating for at least 10 months and yet still remain undetected by Apple’s built-in malware scanner demonstrates the necessity of adding further endpoint security controls to Mac devices.”
Here, at ATTACK Simulator, we take cybersecurity seriously. For example, we know that most cyberattacks are carried out through phishing, which is why we focus on training, educating, and equipping your staff with the best up-to-date security practices they need to spot and deflect phishing attempts.
Don’t wait until tomorrow and get your quote for our comprehensive Security Awareness Training program here today.