Apple declares war on Adload malware

This week’s security data update to XProtect is unique in the magnitude of its changes. In a single update, the Yara detection rules used by macOS to check for malware have grown by 20% with the addition of 74 new rules, all of them aimed at a single target, Adload. Apple’s security engineers are clearly determined to get the better of that old adware and bundleware loader.

‘Classic’ XProtect is provided as a bundle containing a database, three property lists and a set of Yara rules that are compiled for XProtect to use on-demand when executable code is checked by Gatekeeper. Those rules determine what macOS considers to be malicious, and will be blocked from being loaded and run. Originally they were only used when checking quarantined apps and code for the first time, but in recent versions of macOS checks have become increasingly frequent, and now run whenever third-party code is being prepared to load. This contrasts with the newer XProtect Remediator, a set of 23 executable scanning modules that are run every 24 hours or so to look for signs of known malicious software, including Adload.

Adload probably emerged in 2016, and Apple’s first attempts to detect it appeared in XProtect version 2094 on 25 August 2017, containing detection rules for two variants, A and B. Then in late February 2021, from XProtect 2140 onwards, Apple started updating Yara rules for Adload more frequently. When Apple released the first functional update to XProtect Remediator, version 2, by June 2022, it too had its own scanning module targeting Adload.

Last September Apple started a new cat and mouse campaign, and since XProtect 2172 it has released nine updates to the detection rules for Adload’s many variants and components in the Yara file.

Adload has a track record of rapid change that makes it hard for any adversary using Yara rules for static detection to keep pace. Phil Stokes of SentinelOne Labs has given fuller details of its changing habits and multitude of variants in this review.

The size of the Yara rule file in XProtect 2192, released on 23 April 2024, has risen from 235 KB in 2191 to 281 KB in 2192, as a result of the addition of the 74 new rules listed in the Appendix below. The Adload module in XProtect Remediator 131, released at the same time, has also increased in size from 2.365 MB in version 130 to 2.498 MB in 131. (For those concerned with false positives resulting from its BadGacha scanning module, that has reduced in size in 131, bringing hope that it may report fewer anomalies than its predecessor.)

In releasing all 74 new rules in a single update, Apple is firing a full broadside at Adload’s developers, intending to overwhelm efforts to evade detection until the malware has been extensively rewritten. It also raises the question of whether Apple is now using ML/AI to generate its Yara rules, as developing that many by hand would normally take considerable time and effort. There are already several ML/AI-based tools that will generate Yara rules, but Apple doesn’t appear to have made much use of them in the past, at least not on this unprecedented scale.

It will be interesting to see how successful this approach is with Adload, and whether Apple will use it to tackle other versatile malware such as XCSSET/DubRobber, Genieo and CloudMensis/SnowDrift in future updates to XProtect.

Appendix: New rules added to XProtect 2192

74 new rules for Adload:

macos_adload_launcher
macos_adload_main
macos_adload_agent
macos_smolgolf_adload_dropper
macos_smolgolf_adload_dropper_mrt
macos_gardna_agent
macos_gardna_agent_b
macos_magicplant_dropper
macos_magicplant_dropper_function : adware
macos_magicplant_dropper_obfuscated_function : adware
macos_adload_python_dropper
macos_biter_dropper : adware
macos_biter_second_stage : adware
macos_biter_b_dropper : adware
macos_biter_b_dropper_xprotect
macos_adload_downloader_dec2020_strings
macos_adload_d
macos_adload_e
macos_adload_f
macos_adload_search_daemon
macos_adload_wwxf_objc
macos_adload_c_dropper : adware
macos_adload_shell_script_obfuscation
macos_adload_fantacticmarch : dropper
macos_adload_d_xor_obfuscation
macos_adload_daemon_obfuscation
macos_adload_nautilus_dropper
macos_adload_nautilus_dropper_xprotect
macos_adload_nautilus_installer: adware
macos_adload_nautilus_obfuscated_function : adware
macos_adload_nautilus_xprotect
macos_adload_dropper_custom_upx
macos_adload_dropper_custom_upx_unpacked
macos_adload_macho_deobfuscation_code
macos_adload_swift_dropper_strings
macos_adload_kotlin_agent
macos_adload_gardna_c
macos_airplay_app
macos_toydrop_a
macos_toydrop_b
macos_toydrop_a_obfuscation_code
macos_toydrop_a_agent_strings
macos_adload_dropper_cpp_function
macos_smolgolf_adload_dropper_B
macos_toydrop_pkg_null_padded_trailer : dropper
macos_adload_mitmproxy_goproxy : adware
macos_adload_mitmproxy_goproxy_b
macos_adload_mitmproxy_goproxy_c
macos_adload_mitmproxy_pyinstaller
macos_adload_search_daemon_qls
macos_adload_search_agent_qls_str
macos_adload_search_agent_qls
macos_adload_search_qls_combo
macos_adload_golang
macos_adload_g_fragment
macos_adload_g_extension_plist
macos_adload_g_bundle
macos_adload_g_go_funcs
macos_adload_g_chrome_constants
macos_adload_calypso_obfuscation
macos_adload_websearchstride_strings
macos_adload_websearchstride_xor
macos_adload_pdfcreator
macos_adload_common_data
xprotect_macos_adload_common_data
macos_adload_format_strings
macos_adload_random_bytes
macos_adload_c2_constants
macos_adload_search_daemon_b
macos_xprotect_adload_search_daemon_b_common
macos_adload_search_daemon_c
macos_xprotect_adload_search_daemon_c_common
macos_adload_weird_plutil
macos_adload_dylibs

Note these also finally reveal that the XProtect Remediator scanning module for ‘ToyDrop’ is part of the Adload complex. They also cover language variants of Adload, including Python, Swift, Go and Kotlin.