Researchers discover new AdLoad malware campaigns targeting Macs and Apple products

A new study from SentinelLabs found 150 new samples of the adware that they claim "remain undetected by Apple's on-device malware scanner."

SentinelLabs has released a new report about the discovery of a new adware campaign targeting Apple. 

After identifying AdLoad as an adware and bundleware loader currently afflicting macOS in 2019, the cybersecurity company said it has seen 150 new samples of the adware that they claim "remain undetected by Apple's on-device malware scanner." Some of the samples were even notarized by Apple, according to the report.

Apple uses the XProtect security system to detect malware on all Macs and originally created a protection scheme against AdLoad, which has floated around the internet since at least 2017, according to the report. 

XProtect now has about 11 different signatures for AdLoad, some of which cover the 2019 version of the adware SentinelLabs found that year. But the latest campaign discovered is not protected by anything in XProtect, according to the company. 

"In 2019, that pattern included some combination of the words 'Search,' 'Result' and 'Daemon,' as in the example shown above: 'ElementarySignalSearchDaemon.' Many other examples can be found here. The 2021 variant uses a different pattern that primarily relies on a file extension that is either .system or .service," the researchers explained.  

"Which file extension is used depends on the location of the dropped persistence file and executable as described below, but typically both .system and .service files will be found on the same infected device if the user gave privileges to the installer."

About 50 different label patterns have been discovered by the researchers and they found that the droppers used share the same pattern as Bundlore/Shlayer droppers. 

"They use a fake Player.app mounted in a DMG. Many are signed with a valid signature; in some cases, they have even been known to be notarized," the report said. 

"Typically, we observe that developer certificates used to sign the droppers are revoked by Apple within a matter of days (sometimes hours) of samples being observed on VirusTotal, offering some belated and temporary protection against further infections by those particular signed samples by means of Gatekeeper and OCSP signature checks. Also typically, we see new samples signed with fresh certificates appearing within a matter of hours and days. Truly, it is a game of whack-a-mole." 

SentinelLabs cites research from analysts at Confiant confirming that samples in the wild have been notarized by Apple. 

The samples began to crop up in November 2020 and became more prominent in 2021. There was an even sharper uptick in July and August as more attackers try to take advantage of XProtect's gaps before they're closed. 

XProtect's last update was on June 18th, according to SentinelLabs. Apple did not respond to requests for comment. 

Despite the lack of protection from XProtect, other vendors do have systems to detect the malware. 

"As Apple itself has noted and we described elsewhere, malware on macOS is a problem that the device manufacturer is struggling to cope with," the report said. 

"The fact that hundreds of unique samples of a well-known adware variant have been circulating for at least 10 months and yet still remain undetected by Apple's built-in malware scanner demonstrates the necessity of adding further endpoint security controls to Mac devices."