New version of malware AdLoad bypasses Apple XProtect protection


A new variant of AdLoad malware can bypass XProtect's built-in antivirus technology based on Apple YARA signatures to infect macOS computers.


AdLoad is a Trojan used to attack macOS since late 2017. Criminals use AdLoad to install various malicious loads on the victim's system, including adware and potentially unwanted applications. The malware is capable of stealing system information and sending it to remote servers controlled by attackers.


According to experts from the SentinelOne company, the current malicious campaign began in November 2020, and their activity increased from July to early August this year. After infecting devices running macOS, the AdLoad Trojan installs a Man-in-The-Middle (MiTM) web proxy to intercept search results and inject ads on web pages in order to obtain monetary gain.


To ensure persistence on infected computers, AdLoad operators install LaunchAgents and LaunchDaemons, and in some cases, custom cronjobs that run every two and a half hours.


In the course of analyzing this campaign, researchers found more than 220 malware samples, 150 of which were not detected by Apple's built-in antivirus solution. Many samples are signed with valid Developer IDs issued by Apple, while others are signed to run with default gatekeeper settings, experts noted.

Previous Post Next Post