According to SentinelOne, there is a new variant of AdLoad targeting macOS with about 150 unique samples discovered in 2021 alone; while Apple's XProtect, the built-in security control for malware detection, though containing around 11 signatures for different AdLoads, the new variant involved in this campaign remains undetected by any of the rules.
Apple's on-device malware scanner failed to detect the new variant as well and even, it is signed by the notarization service, which goes to show the extent malicious software have gone in attempts to adapt and evade detection.
How the New AdLoad Variant bypasses Apple's XProtect to target macOS Systems?
The old AdLoad variant was reported in 2019, which Apple now has some partial protection against it; though XProtect has around 11 different signatures for AdLoad, the variant involved in this new campaign is undetected by any of those rules.
The new version of AdLoad leverages on persistence and executable names with different file extension pattern, such as .system or .service, thus enabling the malware to get around traditional security protections incorporated by Apple. And the installation of a persistence agent, in turn, triggers the attack chain that deploys malicious droppers as a fake Player.app to install malware.
Interestingly, the droppers share the same pattern as Bundlore/Shlayer droppers, as they use a fake Player.app mounted in a DMG with several of them signed with a valid signature; in some cases, even notarized.
How to Mitigate against the New AdLoad Variant?
AdLoad is one of the malware families, similar to Shlayer, known to effectively bypass XProtect and the fact that a well documented adware variant has been circulating for about 10 months and still remain undetected by Apple's malware scanner underscores the necessity of implementing further endpoint security controls to devices.
Apple itself has noted that malware on macOS is a problem that they are struggling with, and recently, the company addressed a zero-day flaw actively exploited in its Gatekeeper service by the Shlayer operators to deploy adware on compromised systems.
No comments