Skip to content

Mac systems turned into proxy exit nodes by AdLoad

This article, originally published by Fernando Martinez Sidera and Ofer Caspi, AT&T Alien Labs threat intelligence researchers, highlights the ongoing presence of AdLoad malware on Mac systems. AdLoad, a package bundler, has been observed delivering various payloads, but the most common component dropped in the past year has been a proxy application that turns infected Mac systems into a residential proxy botnet. The researchers have observed over 150 samples of AdLoad malware in the wild during the last year, indicating that thousands of Mac systems may have been hijacked as proxy exit nodes. While the samples analyzed in this blog are specific to MacOS, Windows samples have also been observed. AdLoad has been known to act as a downloader for different payloads every few months to a year, depending on system settings. It has been seen delivering adware, bundleware, PiTM, backdoors, and proxy applications. The malware includes a beacon that reports the number of infected systems, likely supporting a pay-per-Install scheme. Recently, AT&T Alien Labs has observed a previously unreported payload being delivered by AdLoad, which converts infected systems into proxy exit nodes. This payload has been detected delivering SPAM campaigns, including a campaign that affected the University of Illinois. The researchers provide an analysis of a specific sample of AdLoad observed in June, describing its execution process and communication with the AdLoad server and proxy servers. The article concludes by highlighting the significant number of devices infected by AdLoad, with over 10,000 IPs reaching out to proxy servers each week. The intentions behind the use of this residential proxy system are still unclear, but it has already been used for SPAM campaigns.

Leave a Reply

Your email address will not be published. Required fields are marked *