Security researchers have found a new Adload malware variant targeting Apple devices.
Researchers at Sentinel Labs observed over 150 unique samples as part of a new campaign that remains undetected by Apple’s on-device malware scanner.
The AdLoad malware initially surfaced in 2017 but has evolved over the years to evade detection by Apple’s XProtect security system. In 2019, Apple had some partial protection against its earlier variants, but there were no updates to cover the then-new 2019 variant.
AdLoad is a type of adware that redirects a user’s web traffic through the attacker’s preferred servers. The aim is to hijack and redirect user’s web browsers for monetary gain.
Researchers said the 2019 and 2021 AdLoad variants used persistence and executable names that followed a consistent pattern. In 2019, that pattern included some combination of the words “Search,” “Result,” and “Daemon,” such as “ElementarySignalSearchDaemon”.
The latest version uses a different pattern that primarily relies on a file extension that is either .system or .service. The file extension used depends on the location of the dropped persistence file and executable as described below. Still, typically .system and .service files will be found on the same infected device if the user gave privileges to the installer.
With or without privileges, AdLoad will install a persistence agent in the user’s Library LaunchAgents folder.
RELATED RESOURCE
Researchers said they have found around 50 unique label patterns, each having a .service and a .system version. “Based on our previous understanding of AdLoad, we expect there to be many more,” they added.
Further investigations have found more than 150 unique samples in this year’s campaigns. Researchers noted there appears to have been a sharp uptick throughout July and the early weeks of August 2021. Researchers said a single sample of this variant was documented by analysts at Confiant, who described the malware’s string decryption routine.
“It certainly seems possible that the malware developers are taking advantage of the gap in XProtect, which itself has not been updated since a few weeks after Confiant’s research over two months ago. At the time of writing, XProtect was last updated to version 2149 around June 15th – 18th,” researchers said.
“The fact that hundreds of unique samples of a well-known adware variant have been circulating for at least 10 months and yet remain undetected by Apple’s built-in malware scanner demonstrates the necessity of adding further endpoint security controls to Mac devices,” researchers concluded.
-
Third time lucky? Microsoft finally begins roll-out of controversial Recall featureNews The Windows Recall feature has been plagued by setbacks and backlash from security professionals
-
The UK government wants quantum technology out of the lab and in the hands of enterprisesNews The UK government has unveiled plans to invest £121 million in quantum computing projects in an effort to drive real-world applications and adoption rates.
-
Common malware slipped past the macOS notarization process twiceNews Apple immediately revoked the notarization, but the adware slipped through again
-
Researchers blast Swedish developer WakeNet AB for ‘deceptively’ spreading adwareNews Bad actors are using tools like 'embed movie' to coax victims into installing software that house adware
-
Zacinlo malware threatens Windows 10 PCs' securityNews Malware takes screenshots of users' desktops, and has been operating silently for six years
-
Lenovo vows to cut bloatware after SuperfishNews The company says it will drop adware after its Superfish debacle left customer data at risk
-
Facebook warns of new Superfish threatNews The fake security certificate used by the Lenovo-installed adware can be re-used by hackers, says social network
-
Yahoo serves up New Year malware to European customersNews Malicious adverts infect users’ computers.
-
Malwarebytes flags fake Flash updateNews Unusual and inappropriate ads injected into websites.
-
File sharing infects 500,000 computersNews McAfee reveal details on what it calls the most significant malware outbreak since 2005, as peer-to-peer networks look under threat.
