The Mac Security Blog

Malware

OSX/Adload: Mac Malware Apple Missed for Many Months

Posted on by

In recent weeks, there has been increased awareness of a common Mac malware campaign dubbed Adload. It typically consists of a Trojan horse dropper app, often disguised as a Flash Player installer, which installs a LaunchAgent or LaunchDaemon as a method of persistence (so the malware can continue to infect the Mac whenever it gets powered on or restarted).

Intego VirusBarrier X9 detects files from this Adload campaign as OSX/Adload and OSX/Bundlore.zsh. However, Apple’s XProtect definitions built into macOS did not detect much of this malware until several months after it had already been infecting Macs.

Read on for more details on this latest Mac malware threat.

How does Adload malware spread?

The latest OSX/Adload variants arrive via an OSX/Bundlore Trojan horse, which generally masquerades as an installer mimicking the icon art style of Adobe Flash Player, and continues to claim to be Flash Player during the installation process.

OSX/Adload fake Adobe Flash Player installer

An OSX/Bundlore fake Adobe Flash Player installer, which actually installs OSX/Adload. (Image: Intego)

Most often, such Trojan horses are unintentionally encountered when a victim visits a malicious link, or a compromised (hacked) site that automatically redirects to a malicious download. In some cases, poisoned search results on Google or other search engines may lead to such malware.

Why does malware still pretend to be Flash Player?

Adobe Flash Player officially ended security updates on December 31, 2020, but that hasn’t stopped malware makers from disguising their Trojan horses as Flash installers.

The reality is, however, that most non-geeks are unaware that Flash is past its end of life. At one point in Flash Player’s history, installing urgent Flash updates became an almost weekly occurrence, as new zero-day exploits for the bug-riddled software were found routinely.

Old habits die hard, and many users have come to expect that they need to update Flash whenever they’re prompted to. For some, it has become an almost Pavlovian response—and that seems to be what malware makers are banking on.

As further discussed in:

Adobe Flash Player is dead, yet 10% of Macs are infected with fake Flash malware

How long has the malware been around?

Intego has been detecting variations of OSX/Adload malware for several years, since at least 2017. According to Intego’s internal tracking of Adload campaigns, there seemed to be a sudden reappearance of Adload around April 2020, and a further resurgence around September 2020.

The current campaign appears to have begun in November 2020 (as noted by Phil Stokes in his technical deep dive) and continues today, in August 2021.

Although Intego VirusBarrier users were already protected from the latest variants, Apple did not add signatures for the recent Adload/Bundlore campaign to its XProtect definitions until August 23, 2021, as noted by Howard Oakley. (For an explanation of Apple’s usually outdated and mostly ineffective XProtect technology, see the “XProtect: Apple’s malware detection engine” section of this article.)

OSX/Bundlore droppers may be signed and notarized

Notarized Mac malwareAs we have noted before, Mac malware droppers like OSX/Bundlore are often signed with an Apple developer certificate (one developer account used in this campaign was “Eric Jeansonne (CVRCZ9H65R)”), and the droppers may even be notarized.

Notarization is specifically supposed to identify and block new malware before it can ever infect Macs, but Apple’s automated notarization process has continuously been tricked into notarizing malware samples that Apple has failed to detect as malicious. (Notarization is an automated process that does not involve any manual review by human employees at Apple. This differs from App Store submissions which must pass both automated and human inspections.)

Both code-signed and notarized samples have been observed as part of the latest Adload campaign. When Apple becomes aware that a developer certificate has been used to sign malware, Apple revokes the certificate, but malware makers simply purchase (or hack into) another developer account and continue to code-sign their malware to more easily avoid being blocked by macOS’s built-in defenses.

Strangely, even though Apple had revoked a number of certificates that the malware developer had been using, Apple neglected to add detection for this malware to its XProtect definitions until just recently. This meant that the malware makers could simply re-sign their malware with a new developer certificate and immediately continue infecting Macs, rather than also having to redesign their malware to try to evade Apple’s XProtect detection.

How can one remove or prevent Adload, Bundlore, and other threats?

Given that Apple has frequently notarized Mac malware, and Apple’s other threat mitigation features such as Gatekeeper, XProtect, and MRT do not block many types of threats, it is evident that Apple’s own macOS protection methods are insufficient by themselves.

Related: Do Macs need antivirus software?

Do Macs need antivirus software?

Intego X9 software boxesIntego VirusBarrier X9, included with Intego’s Mac Premium Bundle X9, can protect against, detect, and eliminate OSX/Adload and OSX/Bundlore malware.

VirusBarrier is designed by Mac security experts, and it protects against a much wider variety of malware than Apple’s mitigation methods.

If you believe your Mac may have been infected, or to prevent future infections, it’s best to use antivirus software from a trusted Mac developer that includes real-time scanning, such as VirusBarrier X9—which also protects Macs from M1-native malware, cross-platform malware, and more. Intego recently earned a 100% detection rating for both Mac and Windows malware in AV-Comparatives’ third-party independent testing.

Note: Intego customers running VirusBarrier X8, X7, or X6 on older versions of Mac OS X are also protected from these threats. It is best to upgrade to the latest versions of VirusBarrier and macOS, if possible, to ensure your Mac gets all the latest security updates from Apple.

Is OSX/Adload known by any other names?

Other vendors’ names for threats from this malware campaign may include, for the persistent infection (which Intego detects as OSX/Adload), variations of: Adware.MAC.AdLoad, Adware.OSX.AdLoad, Adware.OSX.Cimpli, Adware/Adload!OSX, Adware/Cimpli!OSX, Downloader.Adload.OSX, MACOS.2afe6bd, MACOS.7c241b4, MacOS/Adload, OSX/Dldr.Adload, OSX/Dwnldr-AASO, PUA:MacOS/Adload, and Trojan-Downloader.OSX.Adload.

The dropper files (which Intego detects as OSX/Bundlore.zsh) are identified by other vendors under names such as: Adware.OSX.Bnodlero, Adware.OSX.Bundlore, MACOS.a9ea9b4, MACOS.ef3df25, MacOS:AdAgent, PUA:MacOS/Bundlore, and Trojan-Downloader.OSX.Shlayer.

How can I learn more?

For more technical details of the recent Adload campaign, you can read Phil Stokes’ write-up.

We discussed OSX/Adload on episode 204 of the Intego Mac Podcast. Be sure to follow the podcast to make sure you don’t miss any episodes! You’ll also want to subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news.

You can also follow Intego on your favorite social media channels: Facebook, Instagram, Twitter, and YouTube (click the 🔔 to get notified about new videos).

About Joshua Long

Joshua Long (@theJoshMeister), Intego's Chief Security Analyst, is a renowned security researcher and writer, and an award-winning public speaker. Josh has a master's degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple ID authentication vulnerability. Josh has conducted cybersecurity research for more than 25 years, which is often featured by major news outlets worldwide. Look for more of Josh's articles at security.thejoshmeister.com and follow him on X/Twitter, LinkedIn, and Mastodon. View all posts by Joshua Long →