macOS Adload Pivots Just Days After Apple’s XProtect Clampdown

216.73.216.6

macOS Adload Pivots Just Days After Apple’s XProtect Clampdown

· Published 01/05/2024 20:00 · Modified 02/05/2024 11:13

Essential information

Published: 01/05/2024 20:00
Modified: 02/05/2024 11:13
Tags: adload adware apple dropper evasion macos
Related entities: 11 observables, 1 intrusion sets (apt), 1 techniques (mitre), 1 malware

Description

The report analyzes a new variant of the Adload adware that evades Apple's recent XProtect malware signature updates. Despite Apple adding 74 new rules targeting Adload in XProtect version 2192, the adware authors have rapidly modified their code to bypass these detections. The report examines a specific 4.55MB Intel x86_64 dropper sample that employs Go language components and connects to hardcoded domains for retrieving next-stage payloads. While undetected by most antivirus engines on VirusTotal, SentinelOne's multi-engine platform effectively identifies and blocks this Adload variant.

External references

https://www.sentinelone.com/blog/macos-adload-prolific-adware-pivots-just-days-after-apples-xprotect-clampdown/
https://otx.alienvault.com/pulse/66329f6a4a00630aea010628