In recent weeks, there has been increased awareness of a common Mac malware campaign dubbed Adload. It typically consists of a Trojan horse dropper app, often disguised as a Flash Player installer, which installs a LaunchAgent or LaunchDaemon as a method of persistence (so the malware can continue to infect the Mac whenever it gets powered on or restarted).
Intego VirusBarrier X9 detects files from this Adload campaign as OSX/Adload and OSX/Bundlore.zsh. However, Apple’s XProtect definitions built into macOS did not detect much of this malware until several months after it had already been infecting Macs.
Read on for more details on this latest Mac malware threat.
How does Adload malware spread?
The latest OSX/Adload variants arrive via an OSX/Bundlore Trojan horse, which generally masquerades as an installer mimicking the icon art style of Adobe Flash Player, and continues to claim to be Flash Player during the installation process.
Most often, such Trojan horses are unintentionally encountered when a victim visits a malicious link, or a compromised (hacked) site that automatically redirects to a malicious download. In some cases, poisoned search results on Google or other search engines may lead to such malware.
Why does malware still pretend to be Flash Player?
Adobe Flash Player officially ended security updates on December 31, 2020, but that hasn’t stopped malware makers from disguising their Trojan horses as Flash installers.
The reality is, however, that most non-geeks are unaware that Flash is past its end of life. At one point in Flash Player’s history, installing urgent Flash updates became an almost weekly occurrence, as new zero-day exploits for the bug-riddled software were found routinely.
Old habits die hard, and many users have come to expect that they need to update Flash whenever they’re prompted to. For some, it has become an almost Pavlovian response—and that seems to be what malware makers are banking on.
As further discussed in:
Adobe Flash Player is dead, yet 10% of Macs are infected with…