New Adload malware bypasses Apple’s XProtect to infect macOS devices

Security researchers have found a new Adload malware variant targeting Apple devices.

Researchers at Sentinel Labs observed over 150 unique samples as part of a new campaign that remains undetected by Apple’s on-device malware scanner.

The AdLoad malware initially surfaced in 2017 but has evolved over the years to evade detection by Apple’s XProtect security system. In 2019, Apple had some partial protection against its earlier variants, but there were no updates to cover the then-new 2019 variant.

AdLoad is a type of adware that redirects a user’s web traffic through the attacker’s preferred servers. The aim is to hijack and redirect user’s web browsers for monetary gain.

Researchers said the 2019 and 2021 AdLoad variants used persistence and executable names that followed a consistent pattern. In 2019, that pattern included some combination of the words “Search,” “Result,” and “Daemon,” such as “ElementarySignalSearchDaemon”.

The latest version uses a different pattern that primarily relies on a file extension that is either .system or .service. The file extension used depends on the location of the dropped persistence file and executable as described below. Still, typically .system and .service files will be found on the same infected device if the user gave privileges to the installer.

With or without privileges, AdLoad will install a persistence agent in the user’s Library LaunchAgents folder.

Researchers said they have found around 50 unique label patterns, each having a .service and a .system version. “Based on our previous understanding of AdLoad, we expect there to be many more,” they added.

Further investigations have found more than 150 unique samples in this year’s campaigns. Researchers noted there appears to have been a sharp uptick throughout July and the early weeks of August 2021. Researchers said a single sample of this variant was documented by analysts at Confiant, who described the malware’s string decryption routine.

“It certainly seems possible that the malware developers are taking advantage of the gap in XProtect, which itself has not been updated since a few weeks after Confiant’s research over two months ago. At the time of writing, XProtect was last updated to version 2149 around June 15th – 18th,” researchers said.

“The fact that hundreds of unique samples of a well-known adware variant have been circulating for at least 10 months and yet remain undetected by Apple’s built-in malware scanner demonstrates the necessity of adding further endpoint security controls to Mac devices,” researchers concluded.