macOS Adload Pivots Just Days After Apple’s XProtect Clampdown
May 2, 2024, 11:13 a.m.
Tags
External References
Description
The report analyzes a new variant of the Adload adware that evades Apple's recent XProtect malware signature updates. Despite Apple adding 74 new rules targeting Adload in XProtect version 2192, the adware authors have rapidly modified their code to bypass these detections. The report examines a specific 4.55MB Intel x86_64 dropper sample that employs Go language components and connects to hardcoded domains for retrieving next-stage payloads. While undetected by most antivirus engines on VirusTotal, SentinelOne's multi-engine platform effectively identifies and blocks this Adload variant.
Date
Published: May 1, 2024, 8 p.m.
Created: May 1, 2024, 8 p.m.
Modified: May 2, 2024, 11:13 a.m.
Indicators
api.validexplorer.com
api.searchwebmesh.com
api.operativeeng.com
api.navigationbuffer.com
api.lookwebresults.com
api.launchelemnt.com
api.inetprogress.com
api.generalmodules.com
api.deployquest.com
api.buffermanager.com
api.availablemac.com
Attack Patterns
Adload
Adload
T1082