Adload | |
Type of Malware | Adware |
Addittional names | Kreberisec, ApolloSearchDaemon, AphroditeResults, NetSignalSearchDaemon, ApolloSearch, and many others. |
Country of Origin | Unknown |
Date of initial activity | 2017 |
Targeted Countries | Unknown |
Motivation | Financial Gain |
Attack Vectors | Deceptive pop-up ads, free software installers (bundling), fake Flash Player installers, torrent file downloads. |
Targeted System | macOS |
Overview
AdLoad is malicious software that targets macOS operating systems. It is adept at evading detection by both built-in macOS security tools and numerous third-party antivirus programs. Additionally, it hinders victims from removing the software from their systems.
AdLoad is an adware-type malware that hijacks browsers and forces users to visit potentially malicious websites, allowing cybercriminals to generate revenue. It is also known by various names, including Kreberisec, ApolloSearchDaemon, AphroditeResults, NetSignalSearchDaemon, and ApolloSearch. This adware often includes terms like “SearchDaemon,” “Lookup,” “DataSearch,” and “Results” within its name.
AdLoad stores its files in various directories, with some being easily found and others more hidden. However, it can only perform these actions when the victim provides the password of an admin account.
According to a recent report by SentinelOne, a new strain of AdLoad malware has been discovered that can bypass the built-in antivirus detection of macOS, posing a significant threat to the security of Mac systems.
Targets
Mac devices.
How they operate
AdLoad malware operates primarily as adware, but it can also exhibit browser hijacking and data-tracking functionalities. Here’s a detailed breakdown of how AdLoad operates:
Adware Operations
Displaying Advertisements:
AdLoad injects advertisements into web pages that users visit. These ads can appear as pop-ups, banners, or in-text ads, disrupting the user experience.
The ads may promote dubious or potentially malicious websites and products, generating revenue for the attackers through ad clicks and impressions.
Redirecting Web Traffic:
AdLoad can redirect users to specific websites, often without their consent. This increases web traffic to these sites, generating revenue for the attackers through affiliate marketing or pay-per-click schemes.
Browser Hijacking
Modifying Browser Settings:
AdLoad malware changes browser settings, such as the default search engine, homepage, and new tab page, to promote fake search engines or other sites controlled by the attackers.
These modifications are often persistent, meaning they revert back even if the user tries to change them manually.
Injecting Malicious Code:
AdLoad can inject malicious scripts into web pages, further altering the browsing experience and potentially exposing users to more threats.
Data Tracking
Collecting Sensitive Information:
AdLoad may track users’ browsing habits, collecting information such as search queries, visited websites, IP addresses, and possibly even login credentials and personal data.
This information can be sold to third parties or used for further malicious activities, such as targeted advertising or identity theft.
Persistence Mechanisms
Installing LaunchDaemons and LaunchAgents:
AdLoad installs files in various system directories, including LaunchDaemons and LaunchAgents folders, ensuring that it runs automatically every time the system is booted.
These files are often named similarly to legitimate system files to avoid detection.
Creating Cron Jobs:
The malware may set up cron jobs to execute tasks periodically, maintaining its presence and re-establishing connections to command-and-control servers.
Hiding Components:
AdLoad hides its components in obscure or hidden directories, making manual removal difficult. For instance, it may use folders like “/var/root/.mitmproxy” to store malicious files.
Distribution Methods
Bundling with Software:
AdLoad is often bundled with free software installers from unofficial websites. When users download and install these programs, AdLoad is installed alongside them.
Fake Updates:
The malware is sometimes distributed through fake software updates, such as bogus Flash Player installers, which trick users into installing the malware.
Deceptive Ads:
Deceptive pop-up ads that appear on dubious websites can lead users to download and install AdLoad.
Variants
AlphaLookup, AphroditeLookup, AphroditeResults, ApolloSearch, AresLookup, ArtemisSearch, BinarySignSearch, CalypsoLookup, DataFormatSearch, DataQuest, ElementaryDataSearch, ElementaryInfoSearch, ElementaryProjectSearch, ExpertCharacterSearch, ExpertModuleSearch, ExpertProjectSearch, FindData, GlobalConsoleSearch, GlobalQuestSearch, GlobalSearchQuest, GoldResults, InetWebSearch, KeyWordsSearch, Kreberisec, LeadingChannelSearch, LeadingSignSearch, LookupTool, MainSignalSearch, MajorChannelSearch, MajorLetterSearch, NetLookupSearch, NetToolboxSearch, OdysseusLookup, OperativeResults, PositiveSearch, PublicAdviseSearch, QuickLookSearches, ResultSearchManager, ResultSync, ResultsSync, SearchAdditionally, SearchArchive, SearchNetCharacter, SearchOptical, SearchQuest, SearchRange, SimpleBoardSearch, SimpleFunctionSearch, SkilledProjectSearch, SmartQuestSearch, SmartWebSearch, Sorimbrsec, TabSearch, TechFunctionSearch, TotalAdviseSearch, UpgradeSearchView, VirtualToolboxSearch, WebSearchStride, PoseidonResults
References:
- How to avoid installation of AdLoad malware
- New macOS Adload Malware Bypasses Built-in macOS Antivirus Detection
- macOS Adload | Prolific Adware Pivots Just Days After Apple’s XProtect Clampdown
- Massive New AdLoad Campaign Goes Entirely Undetected By Apple’s XProtect
- Remove AdLoad Malware From Your Mac (Ultimate Guide)
- Adware:MacOS/Adload.A
- Latest macOS Adload variant focuses on detection evasion
- Trojan.AdLoad
