IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

New Adload malware bypasses Apple’s XProtect to infect macOS devices

Old malware retooled to evade Apple defenses

"Adware" within a series of binary coding

Security researchers have found a new Adload malware variant targeting Apple devices.

Researchers at Sentinel Labs observed over 150 unique samples as part of a new campaign that remains undetected by Apple’s on-device malware scanner.

The AdLoad malware initially surfaced in 2017 but has evolved over the years to evade detection by Apple’s XProtect security system. In 2019, Apple had some partial protection against its earlier variants, but there were no updates to cover the then-new 2019 variant.

AdLoad is a type of adware that redirects a user’s web traffic through the attacker’s preferred servers. The aim is to hijack and redirect user’s web browsers for monetary gain.

Researchers said the 2019 and 2021 AdLoad variants used persistence and executable names that followed a consistent pattern. In 2019, that pattern included some combination of the words “Search,” “Result,” and “Daemon,” such as “ElementarySignalSearchDaemon”.

The latest version uses a different pattern that primarily relies on a file extension that is either .system or .service. The file extension used depends on the location of the dropped persistence file and executable as described below. Still, typically .system and .service files will be found on the same infected device if the user gave privileges to the installer.

With or without privileges, AdLoad will install a persistence agent in the user’s Library LaunchAgents folder.

Related Resource

How to increase cyber resilience within your organisation

Cyber resilience for dummies

Cyber resilience for dummies - How to improve cyber resilience within your organisation - whitepaper from MimecastDownload now

Researchers said they have found around 50 unique label patterns, each having a .service and a .system version. “Based on our previous understanding of AdLoad, we expect there to be many more,” they added.

Further investigations have found more than 150 unique samples in this year’s campaigns. Researchers noted there appears to have been a sharp uptick throughout July and the early weeks of August 2021. Researchers said a single sample of this variant was documented by analysts at Confiant, who described the malware’s string decryption routine.

“It certainly seems possible that the malware developers are taking advantage of the gap in XProtect, which itself has not been updated since a few weeks after Confiant’s research over two months ago. At the time of writing, XProtect was last updated to version 2149 around June 15th – 18th,” researchers said.

“The fact that hundreds of unique samples of a well-known adware variant have been circulating for at least 10 months and yet remain undetected by Apple’s built-in malware scanner demonstrates the necessity of adding further endpoint security controls to Mac devices,” researchers concluded.

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Recommended

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks
Security

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks

27 Jun 2022
Best free malware removal tools 2022
Security

Best free malware removal tools 2022

22 Jun 2022
A guide to cyber security certification and training
Careers & training

A guide to cyber security certification and training

16 Jun 2022
What is shoulder surfing?
social engineering

What is shoulder surfing?

10 Jun 2022

Most Popular

Actively exploited server backdoor remains undetected in most organisations' networks
cyber attacks

Actively exploited server backdoor remains undetected in most organisations' networks

1 Jul 2022
Macmillan Publishers hit by apparent cyber attack as systems are forced offline
Security

Macmillan Publishers hit by apparent cyber attack as systems are forced offline

30 Jun 2022
Former Uber security chief to face fraud charges over hack coverup
data breaches

Former Uber security chief to face fraud charges over hack coverup

29 Jun 2022