[ad_1]
A new wave of attacks involving a famous macOS adware family has evolved to exploit around 150 unique samples in nature in 2021 alone, some of which escaped the malware scanner on Apple’s device and even signed up. by its own notarization service, highlighting the the software is constantly trying to adapt and escape detection.
“AdLoad”, as the malware is called, is one of several adware and bundle loaders targeting macOS since at least 2017. It is able to backdoor an affected system to download and install adware or potentially unwanted programs (PUP), as well as collecting and transmitting information on victim machines.
The new iteration “continues to impact Mac users who rely solely on Apple’s built-in XProtect security control for malware detection,” said Phil Stokes, Threat Researcher at SentinelOne, in an analysis published last week. “To date, however, XProtect arguably has around 11 different signatures for AdLoad. [but] the variant used in this new campaign is not detected by any of these rules. “
The 2021 version of AdLoad hangs on persistence and executable names that use a different file extension model (.system or .service), allowing malware to bypass additional security protections incorporated by Apple, ultimately resulting in the installation of a persistence agent, which in turn triggers a chain of attacks to deploy malicious droppers masquerading as a fake Player.app to install malware.
Additionally, the droppers are signed with a valid signature using developer certificates, prompting Apple to revoke certificates “within days (sometimes hours) of samples seen on VirusTotal, providing late protection. and temporary against other infections by those particular samples signed using Gatekeeper and OCSP signature checks, ”noted Stokes.
SentinelOne said it detected new samples signed with new certificates within hours and days, calling it a “mole game.” The first samples of AdLoad are said to have appeared as early as November 2020, with other regular occurrences in the first half of 2021, followed by a sharp increase throughout July and, in particular, the first weeks of August 2021. .
AdLoad is one of the malware families, alongside Shlayer, which are known to bypass XProtect and infect Macs with other malicious payloads. In April 2021, Apple fixed an actively exploited zero-day flaw in its Gatekeeper service (CVE-2021-30657) that was abused by Shlayer operators to deploy untrusted software to compromised systems.
“Malware on macOS is an issue that the device manufacturer is struggling to cope with,” Stokes said. “The fact that hundreds of unique samples of a well-known adware variant have been circulating for at least 10 months and still go undetected by Apple’s built-in malware scanner, demonstrates the need to add checks additional security for Mac devices. “
[ad_2]
Source link