Threat Research

macOS Adload | Prolific Adware Pivots Just Days After Apple’s XProtect Clampdown 

Securonix

Apple expanded XProtect with 74 new rules in v2192 and 10 more in v2193 to disrupt Adload, but the adware quickly pivoted to evade the updates. The article analyzes a Go-based Adload variant that bypasses XProtect and outlines observed indicators of compromise and detection considerations, with guidance on protection strategies. #Adload #XProtect

Keypoints

  • Apple added 74 new XProtect rules in v2192 and 10 more in v2193 targeting Adload, aiming to disrupt the adware on macOS.
  • Adload samples began evading XProtect and other engines on VirusTotal even as the signature update rolled out.
  • A new Adload Go variant (Rload/Lador) is a 4.55 MB Intel x86_64 dropper that serves as the initial stage for the payload.
  • The droppers perform system information discovery via ioreg and contact hardcoded domains to fetch a remote gzip payload.
  • Minor tweaks replaced main.DownloadURL with main.dwnldUrl and use a Go package to obtain machine IDs, helping evade XProtect’s YARA rule.
  • SentinelOne Singularity detects Adload and is recommended as part of defense-in-depth, alongside other protections.

MITRE Techniques

  • [T1082] System Information Discovery – The droppers perform system information discovery (T1082) via the ioreg utility. “ioreg -rd1 -c IOPlatformExpertDevice”
  • [T1105] Ingress Tool Transfer – The malware then seeks to resolve a hardcoded domain name sym._main.dwnldUrl and send an http request to retrieve a remote gzip.
  • [T1071.001] Web Protocols – The malware uses HTTP to retrieve a remote gzip: “send an http request to retrieve a remote gzip.”
  • [T1059.004] Unix Shell – The function that utilizes this package also calls another function to shell out commands, namely sym._os_exec.Command.
  • [T1036] Masquerading – None were codesigned, leaving the specific distribution methods obscure.

Indicators of Compromise

  • [File Hash] context – 13312b3dad9633fa185351e28397c21415d95125, 21c447cac1c13a6804e52f216a4c41a20c963c01, and 7 more hashes
  • [Domains] context – api.availablemac[.]com, api.buffermanager[.]com, api.deployquest[.]com., api.generalmodules[.]com, api[.]inetprogress[.]com, api[.]launchelemnt[.]com, api[.]lookwebresults[.]com, api[.]navigationbuffer[.]com, api[.]operativeeng[.]com, api[.]searchwebmesh[.]com, api[.]validexplorer[.]com

Read more: https://www.sentinelone.com/blog/macos-adload-prolific-adware-pivots-just-days-after-apples-xprotect-clampdown/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint