A new wave of attacks involving a notorious macOS adware family has evolved to leverage around 150 unique samples in the wild in 2021 dubbed “AdLoad,” as the malware, is one of several widespread adware and bundleware loaders targeting macOS . It’s capable of backdooring an affected system to download and install adware or potentially unwanted programs (PUPs), as well as amass and transmit information about victim machines.
The new iteration continues to impact Mac users who rely solely on Apple’s built-in security control XProtect for malware detection. XProtect arguably has around 11 different signatures for AdLoad the variant used in this new campaign is undetected by any of those rules.
The latest version of AdLoad latches on to persistence and executable names that use a different file extension pattern (.system or .service), enabling the malware to get around additional security protections incorporated by Apple, ultimately resulting in the installation of a persistence agent, which, in turn, triggers an attack chain to deploy malicious droppers that masquerade as a fake Player.app to install malware.
The droppers are signed with a valid signature using developer certificates, prompting Apple to revoke the certificates offering some belated and temporary protection against further infections by those particular signed samples by means of Gatekeeper and OCSP signature checks.
Malware on macOS is a problem that the device manufacturer is struggling to cope. The fact that hundreds of unique samples of a well-known adware variant have been circulating for at least 10 months and yet still remain undetected by Apple’s built-in malware scanner demonstrates the necessity of adding further endpoint security controls to Mac devices.