Back

macOS Adload Pivots Just Days After Apple’s XProtect Clampdown

May 2, 2024, 11:13 a.m.

Tags

evasion
macos
dropper
adware
apple
adload

External References

https://www.sentinelone.com/

https://otx.alienvault.com/

Description

The report analyzes a new variant of the Adload adware that evades Apple's recent XProtect malware signature updates. Despite Apple adding 74 new rules targeting Adload in XProtect version 2192, the adware authors have rapidly modified their code to bypass these detections. The report examines a specific 4.55MB Intel x86_64 dropper sample that employs Go language components and connects to hardcoded domains for retrieving next-stage payloads. While undetected by most antivirus engines on VirusTotal, SentinelOne's multi-engine platform effectively identifies and blocks this Adload variant.

Date

Published Created Modified
May 1, 2024, 8 p.m. May 1, 2024, 8 p.m. May 2, 2024, 11:13 a.m.

Attack Patterns

Adload

Adload

T1082