AdLoad is a well-known adware and bundleware loaders family which has been targeting macOS users since 2017, or even earlier. The threat installs a backdoor on the system to drop adware and potentially unwanted applications (PUAs), and also collects information.
Unfortunately, security researchers recently detected a new campaign distributing an evolved variant of AdLoad. Data shows that at least 150 unique samples of the adware are circling the web this year, some of which successfully bypass Apple’s on-device malware protection known as XProtect. “Some of these samples have been known to have also been blessed by Apple’s notarization service,” say SentinelOne researchers.
According to their report, this year has seen another iteration of the malicious adware that continues to impact Mac users who rely solely on Apple’s XProtect mechanism for malware detection. “The good news for those without additional security protection is that the previous variant we reported in 2019 is now detected by XProtect, via rule 22d71e9. The bad news is the variant used in this new campaign is undetected by any of those rules.” SentinelOne adds.
What’s different in AdLoad’s 2021 variant?
The latest iteration deploys a different pattern relying on a file extension (either .system or .service). The file extension depends on the location of the dropped persistence file and executable. In most cases, both extensions are found on the same infected device, under the condition that the user gave privileges to the installer.
Note that Adload will install a persistence agent with or without privileges. The agent is dropped in the user’s Library LaunchAgents folder.
“To date, we have found around 50 unique label patterns, with each one having both a .service and a .system version. Based on our previous understanding of AdLoad, we expect there to be many more,” the researchers say.
It is worth mentioning that the droppers in the latest AdLoad wave share the same pattern as Bundlore and Shlayer droppers. They all utilize a fake Player .app mounted in a DMG. Many of them are signed with a valid signature, and in some cases, they also have been notarized. The final payload of AdLoad is not codesigned and is not known to the current version of Apple’s XProtect, v2149.
A couple of years ago, security researchers came across a new variant of the so-called Shlayer malware, which has been targeting macOS users. Shlayer is a multi-stage malware, and the 2019 version acquired privilege escalation capabilities. The malware can also disable Gatekeeper to run unsigned second stage payloads. The Shlayer malware was first discovered in February 2018 by Intego researchers.