IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

New Adload malware bypasses Apple’s XProtect to infect macOS devices

Old malware retooled to evade Apple defenses

"Adware" within a series of binary coding

Security researchers have found a new Adload malware variant targeting Apple devices.

Researchers at Sentinel Labs observed over 150 unique samples as part of a new campaign that remains undetected by Apple’s on-device malware scanner.

The AdLoad malware initially surfaced in 2017 but has evolved over the years to evade detection by Apple’s XProtect security system. In 2019, Apple had some partial protection against its earlier variants, but there were no updates to cover the then-new 2019 variant.

AdLoad is a type of adware that redirects a user’s web traffic through the attacker’s preferred servers. The aim is to hijack and redirect user’s web browsers for monetary gain.

Researchers said the 2019 and 2021 AdLoad variants used persistence and executable names that followed a consistent pattern. In 2019, that pattern included some combination of the words “Search,” “Result,” and “Daemon,” such as “ElementarySignalSearchDaemon”.

The latest version uses a different pattern that primarily relies on a file extension that is either .system or .service. The file extension used depends on the location of the dropped persistence file and executable as described below. Still, typically .system and .service files will be found on the same infected device if the user gave privileges to the installer.

With or without privileges, AdLoad will install a persistence agent in the user’s Library LaunchAgents folder.

Related Resource

How to increase cyber resilience within your organisation

Cyber resilience for dummies

Cyber resilience for dummies - How to improve cyber resilience within your organisation - whitepaper from MimecastDownload now

Researchers said they have found around 50 unique label patterns, each having a .service and a .system version. “Based on our previous understanding of AdLoad, we expect there to be many more,” they added.

Further investigations have found more than 150 unique samples in this year’s campaigns. Researchers noted there appears to have been a sharp uptick throughout July and the early weeks of August 2021. Researchers said a single sample of this variant was documented by analysts at Confiant, who described the malware’s string decryption routine.

“It certainly seems possible that the malware developers are taking advantage of the gap in XProtect, which itself has not been updated since a few weeks after Confiant’s research over two months ago. At the time of writing, XProtect was last updated to version 2149 around June 15th – 18th,” researchers said.

“The fact that hundreds of unique samples of a well-known adware variant have been circulating for at least 10 months and yet remain undetected by Apple’s built-in malware scanner demonstrates the necessity of adding further endpoint security controls to Mac devices,” researchers concluded.

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

The Total Economic Impact™ of Apple Mac in Enterprise: M1 update
Whitepaper

The Total Economic Impact™ of Apple Mac in Enterprise: M1 update

12 May 2022
Dell Technologies World 2022: Dell unveils fastest storage architecture in company history
Server & storage

Dell Technologies World 2022: Dell unveils fastest storage architecture in company history

4 May 2022
Dell Technologies World 2022: Dell unveils security offerings for major cloud providers
public cloud

Dell Technologies World 2022: Dell unveils security offerings for major cloud providers

3 May 2022
How do you become an ethical hacker?
ethical hacking

How do you become an ethical hacker?

29 Apr 2022

Most Popular

Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022
Russian hackers declare war on 10 countries after failed Eurovision DDoS attack
hacking

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

16 May 2022
IT admin deletes company’s databases and is jailed for seven years
Policy & legislation

IT admin deletes company’s databases and is jailed for seven years

16 May 2022