In order to infect macOS, a new strain of AdLoad malware is capable of circumventing Apple’s built-in antivirus technology, XProtect. Apple’s antivirus XProtect is YARA signature-based malware detection technology, which appears to have missed the new strain.
Multiple continuing attacks began in November of last year, according to SentinelOne researchers, with a spike in activity from early July to early August. Researchers discovered over 220 samples, 150 of which were undetected by Apple’s built-in antivirus, XProtect. It now contains roughly a dozen AdLoad signatures.
Several samples found by SentinelOne are signed with legitimate Apple Developer ID certificates, while others are designed to function with Gatekeeper’s default settings. This malware variant has previously been used in many campaigns, according to cybersecurity firm SentinelOne.
After infecting a Mac, the adware installs a Man-in-the-Middle (MITM) web proxy to hijack search engine results. For commercial advantage, advertisements are later injected into web pages.
It gains persistence on infected Macs by installing LaunchDaemons and LaunchAgents after infection. User cron jobs are sometimes done every two and a half hours.
Hundreds of unique AdLoad adware samples have been circulating in the wild undetected for nearly 10 months, necessitating rapid intervention. It shows that attackers are becoming more sophisticated with each passing day, emphasising the necessity for additional security layers to secure Mac devices.