AdLoad is a widespread trojan currently targeting macOS and is used to deploy malicious payloads including adware and Potentially Unwanted Applications (PUAs). AdLoad campaigns in 2021 use a different pattern than previously seen and relies on a file with extensions either .system or .service. SentinelOne Researchers reported today, August 11th, that around 50 unique label patterns have been found, each one having both a .system and .service version. Researchers also found that out of more than 220 samples tested, 150 of them were unique and undetected by Apple’s built-in antivirus XProtect.
Once a machine is infected, AdLoad installs a Man-in-the-Middle (MitM) web proxy to redirect users’ web traffic through the attacker’s preferred servers and to inject advertisements into web pages for monetary gain. It can also gain persistence on infected machines by installing LaunchAgents and LaunchDaemons. The droppers for this campaign use a fake Player.app mounted in a DMG and many are signed with a valid signature, sometimes they have even been notarized.
The makers of this malware also included the ability to disable the Gatekeeper protection mechanism to run unsigned second-stage payloads.
To prevent machines from infection in the first place, do not download software, files, or any content from unofficial websites. Do not update software using fake, unofficial updaters, and do not click on intrusive ads. If a machine has already been infected, it is difficult for individual users to remove it. With multiple persistence agents such as launch agents, daemons, cronjobs, and processes running in memory out of /var/root, it can take several attempts to beat all of these before one of them rewrites the deleted data back onto the disk. It is recommended to utilize monitoring such as Binary Defense’s Managed Detection & Response to help identify threats, investigate alerts, and contain the threat.