Macs are getting compromised to act as proxy exit nodes

AdLoad, well-known malware that has been targeting systems running macOS for over half a decade, has been observed delivering a new payload that – unbeknown to the owners – enlisted their systems into a residential proxy botnet.

According to AT&T Alien Labs threat intelligence researchers, who analyzed over 150 samples of the malware they found in the wild, many devices are infected.

“Alien Labs has identified over 10,000 IPs reaching out to the proxy servers each week that have the potential to be proxy exit nodes. It is unclear if all these systems have been infected or are voluntarily offering their systems as proxies, but it could be indicative of a bigger infection globally.”

The AdLoad macOS malware

AdLoad is adware that installs a web proxy to redirect user’s web traffic through servers owned by the adware operators, so that they can hijack search engine results and insert specific ads into the pages viewed by the user (thereby siphoning ad revenue from the website owners).

AdLoad also serves as a downloader for additional payloads: PUAs, other adware (e.g., Mughthesec), browser extensions, and other proxy applications.

AdLoad is known for being highly evasive and persistent. Through the years, its developers have armed it with clever techniques to hide from built-in macOS security tools and third-party antivirus programs and to persist through system restarts.

AdLoad is turning Macs into proxies

AT&T Alien Labs researchers have analyzed many variants of the most recent AdLoad sample, which has been spotted in the wild during June 2023.

Once executed, this AdLoad sample gathers system information – including the system’s UUID (Universally Unique Identifier) – and connects to an AdLoad server to report the infection.

“After beaconing to the AdLoad server, the sample reaches out to a different domain, usually vpnservices[.]live or upgrader[.]live, appearing to be a proxy server’s C&C,” the researchers explained.

“The request carries as a parameter the UUID of the infected machine among other encoded parameters. This request responds with a link of the file to download, usually in digitaloceanspaces[.]com. It also includes the environment to use and the version number of the payload.”

AdLoad infection process. (Source: AT&T Alien Labs)

The malware then downloads the (residential) proxy app, unzips the files, removes the quarantine attribute that would make them visible to the macOS Gatekeeper, and moves them to a new folder.

“If the proxy application is already running, the malware kills it, and then executes it in the background. During its execution, AdLoad gains persistence by installing itself as a Launch Agent with organization name usually formed by org.[random long string].plist, which points at the proxy application executable in the Application Support folder,” the researchers explained.

Finally, the hosts start functioning as a proxy server.

AT&T Alien Labs have traced the domains serving as proxy server nodes to a small business selling proxy services. “The intentions behind the users of this botnet for residential proxy systems is still unclear, but so far it has already been detected delivering SPAM campaigns,” they noted.

The researchers also suggested that not all of the machines in this botnet are Macs, since they have also spotted Windows samples that also end up acting as proxies. They have provided recommendations on how to remove AdLoad samples and the proxy application from the system, as well as YARA rules and IOCs to help enterprise security staff identify infections on managed systems.

Attackers are increasingly targeting Macs

Windows-based systems have long been the primary target for cybercriminals, but since more and more consumers and enterprises are using Macs, specialized malware for macOS is on the rise.

“According to a survey by Jamf, a company that manages Apple devices, in 2020, the percentage of enterprise organizations that reported using Mac as their primary device increased to 23%, up from 17% in 2019. These numbers may have risen even more since the 2020 report, leaving businesses vulnerable unless they adjust their security posture to face this new, emerging threat,” Accenture analysts have pointed out.

“Previous macOS-related activity has been limited in scope owing to the comparatively smaller role played by macOS in enterprise infrastructure globally and the more advanced and niche skills required to target the Apple operating system. Yet, in 2022 and the first half of 2023, macOS-targeting activity has intensified.”

Threat actors have started to develop and distribute macOS-specific infostealer strains and exploits (including for zero-days), and have been selling tools and services targeting macOS systems.

They have also been increasingly executing attacks that bypass macOS Gatekeeper, and ransomware groups have started working on ransomware variants targeting the popular OS.

UPDATE (August 18, 2023, 06:15 a.m. ET):

The same server proxy application is being foisted on Windows machines as well, according to AT&T.