Attention: We have transitioned to a new AAD or Microsoft Entra ID from the week of May 20, 2024. In case your tenant requires admin consent, please refer to this document located at Overview of user and admin consent - Microsoft Entra ID | Microsoft Learn and grant access to App ID: 6ba09155-cb24-475b-b24f-b4e28fc74365 with graph permissions for Directory.Read.All and User.Read for continued access. While the app may appear unverified, you can confirm its legitimacy by verifying the App ID provided.
Adload is a malicious adware and a potentially unwanted application (PUA) that targets Mac devices. It is known to impersonate legitimate apps, such as video players or support agents, and is most likely downloaded through malicious links on third-party websites. Adload is also dropped as an additional payload by the UpdateAgent trojan variants.
If the Adload adware has been launched, it is likely that the device is under complete attacker control. To help reduce the impact of this threat, you can:
Inspect the downloaded file and the process responsible for modifying the file quarantine attribute.
Stop suspicious processes, isolate the affected device, rest the password, block IP addresses and URLs, and install security updates.
Investigate the device timeline for indications of reconnaissance and data exfiltration.
Contact your incident response team to start the incident response process. If you don't have one, contact Microsoft support for potential forensic analysis and remediation.
Once on the target device, like any other malicious adware, Adload uses known techniques to steal search engine results and inject ads into web pages.
To maintain persistence, the adware drops Plist files in the LaunchAgents or LaunchDaemons folder. The adware also drops additional payloads on the target device.
Ensure to keep Microsoft Defender Antivirus or Microsoft Defender for Endpoint on Mac updated.
Avoid using unknown binaries from free file-hosting sites, file-sharing networks, and third-party installers.
Choose custom or advanced installation settings.
While installing any third-party apps, read the terms and conditions carefully.
Avoid installing additional apps or offers that are displayed during installation.
Perform a system scan regularly.
Ensure to do a file backup regularly.
Change the password regularly for your device and shopping sites.
Guidance for enterprise administrators
Recommendations for Microsoft 365 Defender customers
Restrict access to privileged resources like Launchdaemons, LaunchAgents folders, or Sudoers file through OSX enterprise management solutions. This helps in mitigating common persistence and privilege escalation techniques.
Encourage users to use Microsoft Edge—available on macOS and various platforms—and other web browsers that support SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that contain exploits and host malware. Turn on network protection to block connections to malicious domains and IP addresses.
Only install apps from trusted sources, such as the software platform’s official app store. Third-party sources may have lax standards for the applications that they host, allowing malicious actors to upload and distribute malware.
Enable potentially unwanted application (PUA) protection in block mode to block and automatically quarantine potentially unwanted applications. PUA protection blocking takes effect on endpoint clients after the next signature update or computer restart.
Check your perimeter firewall and proxy to restrict servers from making arbitrary connections to the internet to browse or download files. Such restrictions help inhibit malware downloads and command-and-control (C2).
Turn on cloud-delivered protection and automatic sample submission on Microsoft Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.
Prevent the use of unauthorized apps with application control.
Run the latest version of your operating systems and applications. Deploy the latest security updates as soon as they become available.
Educate end users about preventing malware infections. Encourage end users to practice good credential hygiene—limit the use of accounts with local or domain admin privileges and turn on Microsoft Defender Firewall to prevent malware infection and stifle propagation.
The following symptoms are observed on devices affected by this malicious adware:
Unexpected ads are shown in system apps.
Unwanted extensions might get installed.
The Sudoers file is modified.
Unexpected entries in login items, LaunchAgents, and LaunchDaemons folders.
Microsoft Defender Antivirus or Microsoft Defender for Endpoint on Mac raises an alert if it detects this threat on your device, and automatically removes threats as they are detected. It will quarantine the malware even if the process is running. If this threat is detected on your environment, we recommend that you immediately investigate it.
