Researchers discover new AdLoad malware campaigns targeting Macs and Apple products

iOS VPN App

Protect Your Access to the Internet


SentinelLabs has released a new report about the discovery of a new adware campaign targeting Apple. 



a screen shot of an open laptop computer sitting on top of a table: Researchers discover new AdLoad malware campaigns targeting Macs and Apple products


© ZDNet
Researchers discover new AdLoad malware campaigns targeting Macs and Apple products

After identifying AdLoad as an adware and bundleware loader currently afflicting macOS in 2019, the cybersecurity company said it has seen 150 new samples of the adware that they claim “remain undetected by Apple’s on-device malware scanner.” Some of the samples were even notarized by Apple, according to the report.

Loading...

Load Error

Apple uses the XProtect security system to detect malware on all Macs and originally created a protection scheme against AdLoad, which has floated around the internet since at least 2017, according to the report. 

XProtect now has about 11 different signatures for AdLoad, some of which cover the 2019 version of the adware SentinelLabs found that year. But the latest campaign discovered is not protected by anything in XProtect, according to the company. 

“In 2019, that pattern included some combination of the words ‘Search,’ ‘Result’ and ‘Daemon,’ as in the example shown above: ‘ElementarySignalSearchDaemon.’ Many other examples can be found here. The 2021 variant uses a different pattern that primarily relies on a file extension that is either .system or .service,” the researchers explained.  

“Which file extension is used depends on the location of the dropped persistence file and executable as described below, but typically both .system and .service files will be found on the same infected device if the user gave privileges to the installer.”

About 50 different label patterns have been discovered by the researchers and they found that the droppers used share the same pattern as Bundlore/Shlayer droppers. 

“They use a fake Player.app mounted in a DMG. Many are signed with a valid signature; in some cases, they have even been known to be notarized,” the report said. 

“Typically, we observe that developer certificates used to sign the droppers are revoked by Apple within a matter of days (sometimes hours) of samples being observed on VirusTotal, offering some belated and temporary protection against further infections by those particular…

Source…