Adload Adware Quickly Evades Apple’s Expanded XProtect
A recent update of Apple’s XProtect security framework, which included an unprecedented 74 new rules targeting the prolific Adload adware, appears to have been ineffective. Security researchers at SentinelOne have identified new Adload variants that successfully evade Apple’s detection mechanisms.
Apple’s latest XProtect update—versions 2192 and 2193—was an ambitious effort to curb the rampant spread of adware affecting macOS users. This update expanded the number of malware rules from 207 to 289, with a substantial focus on Adload, a notorious adware known for its resilience and adaptability. The update aimed to provide a robust defense against known Adload iterations but also hoped to stall the adware’s developers long enough to disrupt their operations significantly.
New Adload samples (VirusTotal) | Image: SentinelOne
Despite Apple’s efforts, SentinelOne reports a swift response from the Adload adware. Within a week, new samples of Adload were detected that not only bypassed the newly implemented XProtect rules but also remained largely undetected on VirusTotal—a popular tool for analyzing suspicious files and URLs.
The newly observed variant, referred to as Rload/Lador, appears particularly sophisticated with none of the usual digital fingerprints like a parent executable or a code signature, making its distribution method more elusive. These samples typically come embedded within cracked or trojanized applications distributed via malicious websites or file-sharing platforms.
Upon execution, this variant employs a series of commands to gather system information and communicate with a remote server using a custom, hard-coded domain. This process involves the retrieval of a remote payload, which is then executed from a temporary directory within the user’s system.
Interestingly, the evasion of XProtect’s new rules by this Adload variant hinges on a minor tweak in the malware’s code. Where previous versions might have used a more detectable string in their communication requests, the new variant uses “main.dwnldUrl” instead of the expected “main.DownloadURL”, a small change that significantly impacts detectability.
The quick adaptation of Adload after Apple’s XProtect update is a clear indicator that the fight against adware and malware is far from over. For users, the advice remains straightforward yet vital: keep your systems and applications up to date, and remain vigilant about the sources of your downloads.
