Security News > 2021 > August > New AdLoad Variant Bypasses Apple's Security Defenses to Target macOS Systems

New AdLoad Variant Bypasses Apple's Security Defenses to Target macOS Systems
2021-08-16 04:40

A new wave of attacks involving a notorious macOS adware family has evolved to leverage around 150 unique samples in the wild in 2021 alone, some of which have slipped past Apple's on-device malware scanner and even signed by its own notarization service, highlighting the malicious software ongoing attempts to adapt and evade detection.

The new iteration "Continues to impact Mac users who rely solely on Apple's built-in security control XProtect for malware detection," SentinelOne threat researcher Phil Stokes said in an analysis published last week.

"As of today XProtect arguably has around 11 different signatures for AdLoad [but] the variant used in this new campaign is undetected by any of those rules."

The 2021 version of AdLoad latches on to persistence and executable names that use a different file extension pattern, enabling the malware to get around additional security protections incorporated by Apple, ultimately resulting in the installation of a persistence agent, which, in turn, triggers an attack chain to deploy malicious droppers that masquerade as a fake Player.

What's more, the droppers are signed with a valid signature using developer certificates, prompting Apple to revoke the certificates "Within a matter of days of samples being observed on VirusTotal, offering some belated and temporary protection against further infections by those particular signed samples by means of Gatekeeper and OCSP signature checks," Stokes noted.

SentinelOne said it detected new samples signed with fresh certificates in a couple of hours and days, calling it a "Game of whack-a-mole." First samples of AdLoad are said to have appeared as early as November 2020, with regular further occurrences across the first half of 2021, followed by a sharp uptick throughout July and, in particular, the early weeks of August 2021.


News URL

http://feedproxy.google.com/~r/TheHackersNews/~3/AL44q59e3Wk/new-adload-variant-bypasses-apples.html