New macOS Adload Malware Bypasses Built-in macOS Antivirus Detection

A new variant of the notorious Adload malware has been discovered to bypass the latest updates to Apple’s built-in antivirus, XProtect.

Despite Apple’s efforts to fortify its defenses with a significant update to its malware signature list, Adload’s authors have swiftly adapted, rendering these new measures ineffective against the latest iterations of the malware.

Apple’s Massive Adload Signature Update

Apple’s security team recently implemented a substantial update to XProtect, adding 74 new rules in version 2192 and 10 additional rules in version 2193, released on April 30th.

This update aimed to combat the Adload adware, which has been a persistent threat to macOS devices.

Document

Integrate ANY.RUN in Your Company for Effective Malware Analysis

Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:

  • Real-time Detection
  • Interactive Malware Analysis
  • Easy to Learn by New Security Team members
  • Get detailed reports with maximum data
  • Set Up Virtual Machine in Linux & all Windows OS Versions
  • Interact with Malware Safely

If you want to test all these features now with completely free access to the sandbox:

According to the recent report by SentinelOne, a new strain of Adload malware has been discovered that is capable of bypassing the built-in antivirus detection of macOS, posing a significant threat to the security of Mac systems.

Before this update, XProtect had 207 rules, of which a significant portion targeted historical versions of Adload.

The update marked a 24% increase in the rule count, showcasing Apple’s commitment to combating this pervasive adware.

New Adload samples (VirusTotal)
New Adload samples (VirusTotal)

Despite these efforts, new versions of Adload have been identified, evading detection by both XProtect and other antivirus engines on VirusTotal.

This development underscores malware authors’ adaptability and the challenges faced by security teams in keeping up with evolving threats.

The latest Adload samples have shown an alarming ability to bypass detection mechanisms. Initially, various antivirus engines detected many of these samples.

However, as the week progressed, samples began to surface that eluded XProtect and other vendors’ detection on VirusTotal.

This evasion highlights the sophistication of the new Adload variants and the need for continuous vigilance and updates from security providers.

On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for Free.

New Adload Go Variant (Reload/Lador)

Among the new variants, one in particular, compiled solely for the Intel x86_64 architecture, has demonstrated a near-total detection evasion, with 0 or only 1 detection among VirusTotal engines.

This variant acts as an initial dropper for the next stage payload, with no clear parent executable, application, or disk image, suggesting a distribution through cracked or trojanized apps.

The samples observed embed a unique custom domain, following known Adload patterns, indicating a sophisticated and organized distribution method.

SHA1Domain
13312b3dad9633fa185351e28397c21415d95125api[.]deployquest[.]com
21c447cac1c13a6804e52f216a4c41a20c963c01api[.]searchwebmesh[.]com
5b1d60c6f461cd8ba91cbca5c7190f4b2752979dapi[.]generalmodules[.]com
67a56aa269b9301981c0538ace75bec2cd381656api[.]validexplorer[.]com
7aaff54d2d6e3f38e51a4f084e17b9aad79a9de0api[.]operativeeng[.]com
912a2ab06d3afe89e8e2ad19d3300055f0e0a968api[.]buffermanager[.]com
a99d03fc3b32742de6688274a3ee3cdaef0172bfapi[.]lookwebresults[.]com
f166eb63162ce4a5ac169e01c160be98b0e27e13api[.]navigationbuffer[.]com
feb2c674f135410c3ced05c301f19ab461e37b20api[.]inetprogress[.]com

Upon execution, these droppers perform system information discovery via the ioreg utility:

ioreg -rd1 -c IOPlatformExpertDevice

The malware then seeks to resolve a hardcoded domain name, sym._main.dwnldUrl, and sends an http request to retrieve a remote gzip.

Hardcoded Adload domain
Hardcoded Adload domain

Minor Tweak Evades XProtect Signature Rule

A closer examination of the binaries reveals that despite Apple’s targeted efforts, the malware authors have managed to evade detection by making minor adjustments, such as replacing the string main.DownloadURL with main.dwnldUrl.

rule macos_smolgolf_adload_dropper

{

meta:

    description = "MACOS.ADLOAD"

strings:

    $varName = "main.DownloadURL"

    $libraryName = "github.com/denisbrodbeck/machineid.ID"

    $execCommand = "os/exec.Command"

condition:

    Macho and all of them

}

This subtle change has allowed the latest Adload samples to slip past XProtect’s defenses, underscoring the ongoing cat-and-mouse game between malware authors and security teams.

As the battle against malware like Adload continues, it is clear that reliance on built-in antivirus solutions alone may not suffice.

Enterprises and individual users are encouraged to consider third-party security solutions to ensure comprehensive protection against these and other sophisticated threats.

For those concerned about the security of their macOS devices, exploring additional security measures and staying informed about the latest threats and detection strategies is more crucial than ever.

Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide

Divya is a Senior Journalist at Cyber Security news covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.