On 1 May 2024, SentinalOne researchers reported the technical details of an adware campaign leveraging Adload evading Apple XProtect defensive measures to target macOS users.
Context and Technical Details
In late April 2024, Apple released more than 80 new rules for the XProtect malware signature list. SentinalOne researchers identified a malware campaign mere days later successfully evading these rules to deliver the prolific Adload adware.
According to researchers, analyzed samples were undetected on VirusTotal at their time of publication.
Additionally, researchers noted “This variant has a file size of 4.55MB and is compiled solely for Intel x86_64 architecture. The binaries function as initial droppers for the next stage payload.
None of the early samples we saw this week showed relationships to a parent executable, application or disk image, and none were codesigned, leaving the specific distribution methods obscure, though typically these droppers are embedded in cracked or trojanized apps distributed by malicious websites, torrents and other means. However, all the new samples embedded a unique custom domain registered with NameCheap and following known Adload patterns.”
Researchers indicated that the binaries evade rules in XProtect by replacing a required string.
Community Impact
The RH-ISAC intelligence team assesses with a high degree of confidence that Adload represents a relatively low threat to the member community. However, adware has been linked recently to some campaigns as an initial infection vector for ransomware operations, which indicates that organizations would be wise to take defensive measures while the threat profile of Adload is minimal.
SentinelOne researchers noted “Apple will quickly update its signatures to take into account this latest Adload pivot, it is inevitable that with XProtect’s YARA rules being transparent to malware developers it won’t take long for any such change to once again be circumvented.” Thus, organizations in the retail, hospitality, and travel industries are advised to maintain situational awareness around this threat and to review the indicators of compromise (IOCs) included here.
IOCs
SentinelOne researchers provided the following IOCs:
File Hashes (SHA1)
- 13312b3dad9633fa185351e28397c21415d95125
- 21c447cac1c13a6804e52f216a4c41a20c963c01
- 5b1d60c6f461cd8ba91cbca5c7190f4b2752979d
- 67a56aa269b9301981c0538ace75bec2cd381656
- 7aaff54d2d6e3f38e51a4f084e17b9aad79a9de0
- 912a2ab06d3afe89e8e2ad19d3300055f0e0a968
- a99d03fc3b32742de6688274a3ee3cdaef0172bf
- f166eb63162ce4a5ac169e01c160be98b0e27e13
- feb2c674f135410c3ced05c301f19ab461e37b20
Domains
- api[.]buffermanager[.]com
- api[.]deployquest[.]com.
- api[.]generalmodules[.]com
- api[.]inetprogress[.]com
- api[.]lookwebresults[.]com
- api[.]navigationbuffer[.]com
- api[.]operativeeng[.]com
- api[.]searchwebmesh[.]com
- api[.]validexplorer[.]com
