A new AdLoad malware variant has slipped through Apple’s YARA-signed-based XProtect built-in antivirus to infect Macs as part of multiple campaigns tracked by cybersecurity firm SentinelOne.
AdLoad is a widespread Trojan that targets the macOS platform. At least from late 2017 It is used to deploy a variety of malicious payloads, such as adware and potentially unwanted applications (PUA).
This malware Harvest system information It is then sent to a remote server controlled by the operator.
More and more active from July
These large-scale ongoing attacks began as early as November 2020. According to SentinelOne threat researcher Phil Stokes, Activity will increase from July to the beginning of August.
When infected with a Mac, AdLoad installs a Man-in-The-Middle (MiTM) web proxy to hijack search engine results and insert ads into web pages for financial gain.
It also gains persistence on infected Macs by installing LaunchAgents and LaunchDaemons, and possibly a user cron job that runs every two and a half hours.
While monitoring this campaign, researchers observed over 220 samples, and XProtect currently comes with about 12 AdLoad signatures, 150 of which are unique and Apple’s built-in antivirus. Not detected by.
Many of the samples detected by SentinelOne signature It uses a valid Apple-issued developer ID certificate and is notarized to run other certificates by default. Gatekeeper Configuration.
“At the time of writing, XProtect was last updated around June 15th. There is no sample recognized by XProtect as it does not match the scanner’s current set of Adload rules,” Stokes concludes. ..
“The fact that hundreds of unique samples of well-known adware variants have been in circulation for at least 10 months and still remain undetected by Apple’s embedded malware scanners add additional endpoint security controls to Mac devices. Indicates the need to do. “
Difficult to ignore threats
To see things, Shlayer is another popular macOS malware strain that was previously able to bypass XProtect and infect Macs with other malicious payloads. Over 10% of all Apple computers It is being monitored by Kaspersky.
Its creator also got the malware Through Apple’s Auto Notarization ProIncludes the ability to be cess Disable the gatekeeper protection mechanism Executes the unsigned second stage payload.
Slayer too I recently abused a macOS zero-day attack Bypassing Apple’s file quarantine, gatekeeper, and notary security checks, it downloads a second-stage malicious payload to a compromised Mac.
Both AdLoad and Shlayer now deploy only adware and bundleware as secondary payloads, but authors can quickly switch to more dangerous malware such as ransomware and wipers at any time.
“Today, Macs have an unacceptable level of malware, which is much worse than iOS.” Said Craig Federighi, Apple’s head of software, swore while testifying at the May Epic Games vs. Apple trial.