Advisory ID: ngCERT-2024-0005
Summary:
AdLoad is a persistent and intrusive malware that mainly targets the Mac Operating System (MacOS), but also known to infect systems running the Windows Operating System (WinOS).
Damage/Probability: MODERATE/HIGH
Description:
AdLoad is a Trojan malware that creates a backdoor into an affected system so that other malware or Potentially Unwanted Programs (PUPs) can be introduced into the system. It can also collect system information and transmit it to its command-and-control (C2) server.
Consequences: A compromised system could allow threat actors to perform the following functions:
- Turn affected machines into bots for malicious campaigns.
- Redirect users to malicious websites.
- Insert rogue advertisements into web pages to generate advertisement revenue.
- Affect the performance of infected systems.
- Install key-loggers to steal personal credentials.
Detection:
The most effective method of detecting rouge applications such as AdLoad, is by using anti-malware applications. However, below are other methods of detecting the malware on an infected system:
- Reduced system performance.
- Unsolicited popup advertisement in browsers or search engine results.
- It is also commonly known to store its LaunchDaemon file in the local domain Library and the LaunchAgent file in the local user Library on MacOS. For example, if the malware uses the name "DataSearch", it stores "com.DataSearch.plist" in "~/Library/LaunchAgents/" and targets the executable file in "~/Library/Application Support/com.DataSearch/DataSearch".
Solution:
Guidance for End Users:
- Perform regular system scans using reputable antivirus programes.
- Ensure operating systems and applications are kept up to date.
- Ensure antivirus applications are updated.
- Avoid using binaries from free file-hosting sites, file-sharing networks, and third-party installers.
- Avoid installing additional apps or offers that are displayed during installation.
- Change passwords regularly for devices and shopping sites.
Guidance for Enterprise Administrators:
- Restrict access to privileged resources like Launchdaemons, LaunchAgents folders, or Sudoers file through OSX enterprise management solutions. This helps in mitigating common persistence and privilege escalation techniques.
- Encourage users to use web browsers that support SmartScreen, which identifies and blocks malicious websites.
- Turn on network protection to block connections to malicious domains and IP addresses.
- Install apps from trusted sources.
- Check your perimeter firewall and proxy to restrict servers from making arbitrary connections to the internet to browse or download files. Such restrictions help inhibit malware downloads and command-and-control (C2).
- Prevent the use of unauthorized apps with application control.
- Run the latest version of operating systems and applications.
- Deploy latest security updates and patches when available.
- Educate end users on preventing malware infections. Encourage end users to practice good credential hygiene limit the use of accounts with local or domain admin privileges.
References: