The AdLoad malware, which targets macOS systems, has been operational for over half a decade. Recent observations have revealed a new malicious function: incorporating compromised systems into a residential proxy botnet without the knowledge of the system’s owner.

Research teams from AT&T Alien Labs, after analyzing over 150 samples of the malware from various sources, found that numerous devices have been compromised. Alien Labs reports that there are more than 10,000 IPs connecting to these proxy servers weekly. It remains uncertain whether all these systems have been compromised or if some are being voluntarily used as proxies. Such a large number might hint at a widespread global infection.

Insights on the AdLoad Malware

AdLoad operates as adware, which sets up a web proxy, routing users’ web traffic via servers under the control of the adware developers. This allows them to manipulate search engine outcomes and insert their own advertisements into user-viewed pages. This tactic diverts ad revenue away from the legitimate site owners.

Moreover, AdLoad can introduce more harmful payloads into a system, including potentially unwanted applications (PUAs), other kinds of adware, browser extensions, and various proxy software.

Over time, AdLoad’s resilience and ability to avoid detection have become noteworthy. Its developers have equipped it with sophisticated mechanisms to remain undetected by native macOS security measures and external antivirus solutions, even enduring system restarts.

How AdLoad Uses Macs as Proxies

Recent samples of AdLoad, identified in June 2023, were extensively studied by AT&T Alien Labs. When activated, AdLoad collects data from the system, notably the system’s UUID, and notifies its server of the infection.

This malware communicates with various domains, frequently connecting to sites like vpnservices[.]live or upgrader[.]live, which seem to operate as control centers for proxy servers. The malware downloads a residential proxy app, unzips the files, circumvents macOS’s security measures, and relocates them.

Upon installation, the compromised systems are then set into motion as proxy servers. These domains linked to proxy nodes have been traced back to a small enterprise that offers proxy services. While the exact motives behind using this residential proxy botnet remain uncertain, indications suggest its involvement in SPAM campaigns.

The study also indicated the presence of Windows devices within this botnet, revealing its cross-platform capabilities. Recommendations for removing these malware samples and additional defensive measures were provided by the researchers to aid IT professionals.

Increasing Threats for Mac Users

Although Windows systems have been historically preferred by malicious actors, the growing popularity of Macs among both individuals and corporations means malware tailored for macOS is escalating.

A study by Jamf, specializing in Apple device management, highlighted that in 2020, enterprises reporting the use of Mac as their primary device grew to 23% from 17% in 2019. This trend likely continued into the subsequent years, suggesting a potential security blind spot for many businesses.

Past macOS-targeted activities were relatively limited due to macOS’s smaller footprint in the global enterprise ecosystem and the specialized expertise needed to breach it. However, from 2022 to mid-2023, there was a notable surge in macOS-directed malicious activity.

Malevolent entities have been diversifying their macOS-focused arsenal, developing macOS-centric data theft tools and exploits, some targeting undisclosed vulnerabilities. Concurrently, they are also enhancing techniques to circumvent macOS security features and are expanding into developing ransomware tailored for macOS.