As reported by SentinelOne researchers, multiple ongoing attacks started in November last year and a rise in activity was detected from early July to early August. Researchers have observed more than 220 samples, of which 150 were not detected by XProtect, the built-in antivirus of Apple. Now, it is updated with around a dozen AdLoad signatures. Many of the samples spotted by SentinelOne are signed with genuine Developer ID certificates issued by Apple, while others are created to run at default Gatekeeper settings.
During the attack, once the adware infects a Mac, it installs a Man-in-the-Middle (MITM) web proxy to hijack search engine results. Ads are later injected into web pages for financial gain. Following infection, it gains persistence on compromised Macs by installing LaunchDaemons and LaunchAgents. In some instances, user cron jobs are executed every two and a half hours.
Hundreds of unique samples of well-known AdLoad adware were circulating in the wild undetected for almost ten months, which calls for immediate attention. It indicates that attackers are getting smarter with every passing day and emphasizes the need for additional layers of security to protect Mac devices.
For Detail: Click Here