Adload

AdLoad, first discovered in 2018, is a family of ad-injection malware that primarily targets Mac users. It operates by inundating users with pop-up ads and promotional messages, often redirecting browser traffic to unwanted advertisements. Two variants, DesignationDrive and EssentialPlatform Mac adware, are part of this threat family. The malware has been observed to use deceptive tactics such as "Update Adobe Flash Player" alerts to trick users into downloading it. Once installed, it adjusts browser settings across platforms like Mozilla Firefox, Google Chrome, Internet Explorer, and Safari, thereby disrupting the user's web experience with intrusive ads. The AdLoad dropper was notably notarized by Apple and used a Gatekeeper bypass, which significantly increases its potential for damage. This discovery led to further investigation, as outlined in a blog post by AT&T Cybersecurity, revealing that Mac systems were being turned into proxy exit nodes by AdLoad. The malware's activity has been found to closely resemble the HM Surf technique, although it remains unclear whether AdLoad is directly exploiting the HM Surf vulnerability due to limited observation of the steps leading to the activity. Microsoft has noted suspicious activity associated with the AdLoad adware that suggests it might be exploiting the HM Surf vulnerability. However, without concrete evidence of the steps taken leading to the activity, it's impossible to fully determine if the AdLoad campaign is indeed exploiting this vulnerability. Despite this uncertainty, the similarities in method raise the importance of protection against attacks using this technique. Both Microsoft and Apple have been contacted for further comment on this issue. Meanwhile, macOS users are strongly advised to apply updates promptly to mitigate potential exploitation activity associated with AdLoad.