IronNet reports a rise in MacOS malware detections in education networks, driven by AdLoad and UpdateAgent on BYOD devices returning to campus. The findings highlight BYOD risk, multi-stage C2 activity, and the need for strict network segmentation and BYOD controls in education environments. #AdLoad #UpdateAgent #IronDome #BYOD #Education
Keypoints
- Around early-mid August, MacOS malware detections, specifically AdLoad and UpdateAgent in IronDome, increased in the education sector as students returned to school.
- Incidents were traced to already-infected personal devices brought onto education networks, underscoring BYOD risks and the importance of network segmentation.
- CyOC identified previously unreported IOCs, including HTTP User Agents, HTTP Paths, and domains; some IOCs date back to 2019, indicating long-running techniques.
- IronDome analytics correlated activity across multiple enterprises, expanding visibility to additional organizations.
- AdLoad downloads payloads; UpdateAgent exfiltrates basic system information and has been discussed in relation to known AdLoad behavior.
- The report emphasizes strict BYOD policies and segmentation to limit risks from personal devices.
- Additional observations noted other MacOS payloads (Genieo adware) and unknown Mach-O binaries in ZIPs, illustrating broader MacOS threats in education contexts.
MITRE Techniques
- [T1071.001] Web Protocols β AdLoad uses HTTP GET to a C2 domain with device variables, then HTTP POST with data; βThe victim host conducts HTTP GET requests to a C2 domain with two device unique variables, a 6 digit number and UUID string. These requests have user agent strings of either Go-http-client or curl, and result in an HTTP 404 response.β
- [T1071.001] Web Protocols β AdLoad/POST communications include a data portion starting with βsmcβ followed by encrypted data; βThe string smc is found at the start of the data portion of the POST request, followed by encrypted data.β
- [T1571] Encrypted Communications over Non-Standard Port β Encrypted communications over non-standard port observed; βEncrypted Communications over TCP port 1027 were observed to qolveevgclr.activedirec[.]com and b.digitalgrounds[.]info.β
- [T1105] Ingress Tool Transfer β Payloads are downloaded from static.<domain>/d/<38 digit string>/<filename> containing a password-protected zip; βadditional payload is downloaded from static.<domain>/d/<38 digit string>/<filename>, which contains a password-protected zip file.β
- [T1071.001] Web Protocols β Unknown HTTP POST to /squirrel-log with suspicious HTTP user agent; βHTTP POST to path /squirrel-log with suspicious HTTP user agent.β
Indicators of Compromise
- [Domain] C2 β AdLoad β m.generateelevate[.]com, static.generateelevate[.]com
- [Domain] C2 β UpdateAgent β qolveevgclr.activedirec[.]com, b.digitalgrounds[.]info
- [Domain] Unknown/Download/C2 β temptation.live β temptation.live
- [File hash] Mach-O β 1001c1ed209abec59d96e0f27007561c3036c585dd0113ed3cc074bf6a11c105, 0e2632386edf4ec702402767278038f0febfc81063a8bd5bf4be158f1fab156a
- [File name] Mach-O β V6QED2Q1WBYVOPE, companyupdater
- [ZIP Archive] centurion.zip β centurion.zip
- [HTTP User Agent] BasicIndexfld (unknown version) CFNetwork/1410.0.3 Darwin/22.6.0, StandardBoost.system (unknown version) CFNetwork/1128.0.1 Darwin/19.6.0 (x86_64)
Read more: https://www.ironnet.com/blog/back-to-school-reminder-keep-your-macs-clean