AdLoad Malware 2021 Samples Skate Past Apple XProtect

A crush of new attacks using the well-known adware involves at least 150 updated samples, many of which aren’t recognized by Apple’s built-in security controls.

A swelling wave of AdLoad malware infections in macOS devices is cresting its way past Apple’s on-device malware scanner, researchers said. The campaign is using around 150 unique samples, some of which are signed by Apple’s notarization service.

AdLoad is a well-known Apple threat that’s been circulating for years. It’s essentially a trojan that opens a backdoor on the affected system in order to download and install adware or potentially unwanted programs (PUPs). It’s also capable of gathering and transmitting information about victim machines, such as username and computer name. It’s also been seen hijacking search engine results and injecting advertisements into web pages.

It’s changed up its tactics lately, creating an opportunity to evade on-board security.

Infosec Insiders Newsletter

“This year we have seen another iteration that continues to impact Mac users who rely solely on Apple’s built-in security control XProtect for malware detection,” Phil Stokes, researcher at SentinelOne’s SentinelLabs, said in a Wednesday posting. “XProtect arguably has around 11 different signatures for AdLoad [but] the variant used in this new campaign is undetected by any of those rules.”

The AdLoader Infection Routine

The 2021 variants of AdLoad have a new approach to infection, the researcher said. First, they begin their assault by installing a persistence agent in the user’s Library LaunchAgents folder, using either the .system or .service file extension, according to Stokes’ technical analysis.

When the user logs in, that persistence agent executes a binary hidden in the same user’s ~/Library/Application Support/folder. That folder in Application Support in turn contains another directory called /Services/, which itself contains a “minimal application bundle,” Stokes explained.

That bundle contains an executable dropper with the same name. There’s also a hidden tracker file called .logg that contains a universally unique identifier (UUID) for the victim; it’s also included in the Application Support folder, Stokes said.

The droppers are slightly obfuscated Zsh scripts which unpack a series of times before finally executing the malware (a shell script) out of the /tmp directory, he noted. Many of them are signed or notarized.

“Typically, we observe that developer certificates used to sign the droppers are revoked by Apple within a matter of days (sometimes hours) of samples being observed on VirusTotal, offering some belated and temporary protection against further infections by those particular signed samples by means of Gatekeeper and OCSP signature checks,” Stokes said. “Also typically, we see new samples signed with fresh certificates appearing within a matter of hours and days. Truly, it is a game of whack-a-mole.”

In any event, “the final payload isn’t known to the current version of Apple’s XProtect, v2149,” he explained.

Capitalizing on Apple XProtect Gaps

SentinelLabs’ researchers observed the latest AdLoader samples used in campaigns starting as early as November of last year, but it wasn’t until this summer – July and August in particular – that the volume of attacks and samples began to tick up sharply.

“It certainly seems possible that the malware developers are taking advantage of the gap in XProtect…At the time of writing, XProtect was last updated to version 2149 around June 15 – 18,” Stokes said, adding that the malware does have a high detection rate in VirusTotal. “The fact that hundreds of unique samples of a well-known adware variant have been circulating for at least 10 months and yet still remain undetected by Apple’s built-in malware scanner demonstrates the necessity of adding further endpoint security controls to Mac devices.”

Worried about where the next attack is coming from? We’ve got your back. REGISTER NOW for our upcoming live webinar, How to Think Like a Threat Actor, in partnership with Uptycs. Find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on Aug. 17 at 11AM EST for this LIVE discussion.


Suggested articles