A new variant of AdLoad malware is capable of bypassing Apple’s built-in antivirus tech XProtect to infect macOS. XProtect is Apple’s YARA signature-based solution used for the detection of malware which apparently failed to detect the new variant.
What has happened
As reported by SentinelOne researchers, multiple ongoing attacks started in November last year and a rise in activity was detected from early July to early August.
- Researchers have observed more than 220 samples, of which 150 were not detected by XProtect, the built-in antivirus of Apple. Now, it is updated with around a dozen AdLoad signatures.
- Many of the samples spotted by SentinelOne are signed with genuine Developer ID certificates issued by Apple, while others are created to run at default Gatekeeper settings.
According to cybersecurity firm SentinelOne, this malware variant has been a part of multiple campaigns already.
Bypassing technique
- During the attack, once the adware infects a Mac, it installs a Man-in-the-Middle (MITM) web proxy to hijack search engine results. Ads are later injected into web pages for financial gain.
- Following infection, it gains persistence on compromised Macs by installing LaunchDaemons and LaunchAgents. In some instances, user cron jobs are executed every two and a half hours.
Previous similar infections
AdLoad is not the only malware family that can bypass the in-built security of Apple products. Other malware families have been discovered capable of bypassing built-in security inside Mac systems.
- In May, a zero-day exploit was detected in the latest macOS release (CVE-2021-30713). It could have been abused to bypass the Transparency Consent and Control (TCC) framework.
- In April, another zero-day vulnerability was exploited by Shlayer malware to bypass Apple’s Gatekeeper, File Quarantine, and Notarization security checks for downloading second-stage payloads.
Conclusion
Hundreds of unique samples of well-known AdLoad adware were circulating in the wild undetected for almost ten months, which calls for immediate attention. It indicates that attackers are getting smarter with every passing day and emphasizes the need for additional layers of security to protect Mac devices.
Source: https://cyware.com/news/updated-adload-malware-capable-of-bypassing-apples-defenses-ad1eaa37