A new AdLoad variant is infecting Macs through multiple campaigns and can fool Apple’s XProtect built-in antivirus.
Since at least 2017, AdLoad has been attacking the macOS platform. It was able to deploy various harmful payloads, such as adware and potentially unwanted applications. Another goal of this malware is to collect system information that is later sent to remote servers that are controlled by its operators.
According to researchers from SentinelOne, the attacks started in November 2020. They started to increase in frequency in July and August this year.
Once AdLoad infects a Mac, it will install a web proxy to carry out a Man-in-The-Middle (MiTM) attack and take over search engine results and distribute ads.
It will gain persistent persistence on infected Macs by creating and/or updating LaunchAgents and/or LaunchDaemons and user cronjobs.
While monitoring the campaign, researchers discovered over 220 samples, and most were unique and undetected by Apple’s built-in antivirus, XProtect.
Many of the samples detected by SentinelOne are signed with valid developer ID certificates.
“At the time of writing, XProtect was last updated around June 15th. None of the samples we found are known to XProtect since they do not match any of the scanner’s current set of Adload rules,” SentinelOne concluded.
“The fact that hundreds of unique samples of a well-known adware variant have been circulating for at least 10 months and yet still remain undetected by Apple’s built-in malware scanner demonstrates the necessity of adding further endpoint security controls to Mac devices.”
Previously, Shlayer, which is another common macOS malware strain, has managed to hit over 10% of Kaspersky platform’s computers. Its authors managed to fool Apple’s automated notarizing process and could terminate the Gatekeeper protection mechanism to avoid detection.
“Today, we have a level of malware on the Mac that we don’t find acceptable and that is much worse than iOS,” said Craig Federighi, Apple’s head of software.
Both AdLoad and Shlayer can now only deploy ad secondary payloads, but their operators can easily switch to more dangerous malware.