Cyber Criminals Turned Mac Systems into Proxy Exit Nodes

Besides Windows OS, now threat actors are also actively targeting Mac systems to accomplish their illicit goals. Cybersecurity analysts at AT&T Alien Labs recently observed that threat actors are actively turning Mac systems into proxy exit nodes.

The OSX malware, AdLoad, emerged in 2017, and since then, its two major campaigns were highlighted in 2021 by SentinelOne and in 2022 by Microsoft.

Microsoft’s report on UpdateAgent reveals that AdLoad, a malware that spreads through drive-by compromise, hijacks users’ traffic and injects advertisements and promotions into webpages and search results by redirecting it through the adware operators’ servers.

New Observations

Researchers at AT&T Alien Labs studied multiple recent AdLoad versions, seen in June 2023. On execution, it collects system details and communicates with an AdLoad server for reporting.

Over the past year, consistent AdLoad activity has been noted by the researchers at AT&T Alien Labs, and not only that even they also observed that the malware is being installed on the systems that are infected.

Histogram of AdLoad samples (Source – AT&T Alien Labs)

Here below, we have mentioned the new observations:-

  • Undisclosed payload
  • A proxy app
  • Turns victims into exit nodes

Numerous samples caused widespread infections, as Alien Labs spotted 10,000 IPs weekly connecting to proxy servers, potentially as exit nodes. Users’ motives for this residential proxy botnet remain uncertain, though it has been found distributing SPAM campaigns.

Mac Systems into Proxy Exit Nodes

The recent sample of AdLoad, which AT&T Alien Labs spotted in June, was named ‘app_assistant’, and the frequent file names for this malware include:-

  • ‘main_helper’ 
  • ‘mh’

Here the sample begins by using a system profiler to gather system details, emphasizing UUID for system identification later with C&C on proxy servers.

User Agent composed of the executed filename, ‘(unknown version) CFNetwork/$version,’ and Darwin version number in both instances.

Infection process (Source – AT&T Alien Labs)

Following the AdLoad server beacon, sample contacts proxy C&C domains like:-

  • vpnservices[.]live 
  • upgrader[.]live

While the request contains UUID and the encoded parameters, it gets a file link from digitaloceanspaces[.]com with the environment and payload version.

The sample sends a beacon for instructions every few seconds, while the C&C provides updates and checks for hardware issues like:-

  • Low battery
  • High CPU usage


Here Below we have mentioned all the recommendations:-

  • Identify the AdLoad samples with the unique Yara rule that is created by SentinelOne.
  • Make sure to analyze the systems meeting suricata rules 4002758 and 2038612.
  • Inspect ‘/Users/X/Library/Application Support/’ for a folder of 20+ random characters, housing files like ‘main,’ ‘helper,’ and ‘pcyx.ver’ that might be active in the background.
  • Assess the purpose of current Launch Agents lists in /Library/LaunchAgents/, particularly focusing on extra long random character strings, and remove unnecessary agents.
  • Inspect systems communicating on ports 7000, 7001, or 7002 for connections to suspicious IPs or those corresponding to suricata rules 4002756 and 4002757.

Keep informed about the latest Cyber Security News by following us on GoogleNewsLinkedinTwitter, and Facebook.

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.