Mac systems turned into proxy exit nodes by AdLoad
Tags
cmtmf-attack-pattern: Resource Hijacking
maec-delivery-vectors: Watering Hole
attack-pattern: Data Model Botnet - T1583.005 Botnet - T1584.005 Cloud Services - T1021.007 Create Or Modify System Process - T1543 Disable Or Modify Tools - T1562.001 Disable Or Modify Tools - T1629.003 Dns - T1071.004 Dns - T1590.002 Domains - T1583.001 Domains - T1584.001 Drive-By Compromise - T1456 File And Directory Permissions Modification - T1222 Gatekeeper Bypass - T1553.001 Hardware - T1592.001 Impair Defenses - T1562 Impair Defenses - T1629 Launch Agent - T1543.001 Linux And Mac File And Directory Permissions Modification - T1222.002 Malware - T1587.001 Malware - T1588.001 System Information Discovery - T1426 Non-Standard Port - T1509 Non-Standard Port - T1571 Resource Hijacking - T1496 Server - T1583.004 Server - T1584.004 Subvert Trust Controls - T1632 Subvert Trust Controls - T1553 System Checks - T1633.001 System Checks - T1497.001 Virtualization/Sandbox Evasion - T1497 Virtualization/Sandbox Evasion - T1633 Connection Proxy - T1090 Deobfuscate/Decode Files Or Information - T1140 Drive-By Compromise - T1189 Gatekeeper Bypass - T1144 Launch Agent - T1159 System Information Discovery - T1082 Drive-By Compromise
Show in Graph
Common Information
Type Value
UUID 41a30d0b-8167-473d-b018-e37160b2cade
Fingerprint ac35411f8ff20001
Analysis status DONE
Considered CTI value 2
Text language
Published May 10, 2023, midnight
Added to db Aug. 10, 2023, 12:29 p.m.
Last updated Nov. 17, 2024, 6:55 p.m.
Headline Mac systems turned into proxy exit nodes by AdLoad
Title Mac systems turned into proxy exit nodes by AdLoad
Detected Hints/Tags/Attributes 107/3/104
Source URLs
Redirection Url
Details Source https://cybersecurity.att.com/blogs/labs-research/mac-systems-turned-into-proxy-exit-nodes-by-adload
Details Source https://cybersecurity.att.com/blogs/labs-research/mac-systems-turned-into-proxy-exit-nodes-by-adload?&web_view=true
Details Source https://www.cybersecurity-insiders.com/mac-systems-turned-into-proxy-exit-nodes-by-adload/
Details Source https://www.cybersecurity-insiders.com/mac-systems-turned-into-proxy-exit-nodes-by-adload/?utm_source=rss&utm_medium=rss&utm_campaign=mac-systems-turned-into-proxy-exit-nodes-by-adload
URL Provider
Details Provider Source level domain
Details att.com cybersecurity.att.com
Details cybersecurity-insiders.com www.cybersecurity-insiders.com
RSS Feed
Details Id Enabled Feed title Url Added to db
Details 93 LevelBlue Blogs https://cybersecurity.att.com/site/blog-all-rss 2024-08-30 22:08
Details 99 Cyware News - Latest Cyber News https://cyware.com/allnews/feed 2024-08-30 22:08
Details 163 https://media.cert.europa.eu/rss?type=category&id=Malware&language=en&duplicates=false 2024-08-30 22:08
Details 297 Cybersecurity Insiders https://www.cybersecurity-insiders.com/feed/ 2024-08-30 22:08
Attributes
Details Type #Events CTI Value
Details Domain 1 
answers.uillinois.edu
Details Domain 2 
vpnservices.live
Details Domain 2 
upgrader.live
Details Domain 3 
digitaloceanspaces.com
Details Domain 2 
bapp.pictureworld.co
Details Domain 9 
s1.ai
Details Domain 2 
skilledobject.com
Details Domain 2 
browseractivity.com
Details Domain 2 
enchantedreign.com
Details Domain 2 
activitycache.com
Details Domain 2 
activityinput.com
Details Domain 2 
opticalupdater.com
Details Domain 2 
connectioncache.com
Details Domain 2 
analyzerstate.com
Details Domain 2 
essencecuration.com
Details Domain 2 
microrotator.com
Details Domain 2 
articlesagile.com
Details Domain 2 
progresshandler.com
Details Domain 2 
originalrotator.com
Details Domain 2 
productiveunit.com
Details Domain 2 
api.toolenviroment.com
Details Domain 2 
api.inetfield.com
Details Domain 2 
api.operativeeng.com
Details Domain 2 
api.launchertasks.com
Details Domain 2 
api.launchelemnt.com
Details Domain 2 
api.validexplorer.com
Details Domain 2 
api.majorsprint.com
Details Domain 2 
api.essentialenumerator.com
Details Domain 2 
api.transactioneng.com
Details Domain 2 
api.macreationsapp.com
Details Domain 4 
api.commondevice.com
Details Domain 2 
api.compellingagent.com
Details Domain 3 
api.lookupindex.com
Details Domain 2 
api.practicalsync.com
Details Domain 2 
api.accessiblelist.com
Details Domain 2 
api.functionconfig.com
Details File 20 
page.php
Details File 2 
bapp.pict
Details File 9 
s1.ai
Details File 2 
m.opt
Details sha256 1 
6587e61a8a7edb312da5798ffccf4a5ef227d3834389993b4df3ef0b173443dc
Details sha256 1 
54efc69cb6ee7fde00c0320202371dcdad127d0e7c8babce4659be8230d81a81
Details sha256 1 
d94f62ec4b6ffcec35d5e639d02a52ce226629a5eb3e2a7190174ea8d3b40b5b
Details sha256 1 
956aae546af632ea20123bfe659d57e0d5134e39cdb5489bd6f1ba5d8bbd0472
Details sha256 1 
3d063efde737b7b2e393926358cbb32469b76395e1a05e8c127a12e47550f264
Details sha256 1 
2d595880cfb1691dd43de02d1a90273919f62311a7668ef078709eff2fd6bd87
Details sha256 1 
7cb10a70fd25645a708c81f44bb1de2b6de39d583ae3a71df0913917ad1dffc3
Details sha256 1 
4a7c9829590e1230a448dd7a4272b9fbfbafccf7043441967c2f68f6082dde32
Details sha256 1 
68b6beb70bd547b75f2d36d70ca49f8b18542874480d39e33b09ee69eb1048b3
Details sha256 1 
1904b705105db4550371d678f8161826b98b1a9fca139fa41628214ed816d2f5
Details sha256 1 
2fb1d8e6454f43522f42675dcf415569e5df5d731e1d1390f793c282cce4a7aa
Details sha256 1 
ee9ebdb1d9a7424cd64905d39820b343c5f76e29c9cd60c0cdd3bfe069fb7d51
Details sha256 1 
c7721ab85bad163576c166a0a71c0dbe4cc491dda68c5a5907fd1d8cac50780d
Details MITRE ATT&CK Techniques 183 
T1189
Details MITRE ATT&CK Techniques 122 
T1543
Details MITRE ATT&CK Techniques 10 
T1543.001
Details MITRE ATT&CK Techniques 504 
T1140
Details MITRE ATT&CK Techniques 238 
T1497
Details MITRE ATT&CK Techniques 97 
T1497.001
Details MITRE ATT&CK Techniques 265 
T1222
Details MITRE ATT&CK Techniques 35 
T1222.002
Details MITRE ATT&CK Techniques 56 
T1553
Details MITRE ATT&CK Techniques 10 
T1553.001
Details MITRE ATT&CK Techniques 235 
T1562
Details MITRE ATT&CK Techniques 298 
T1562.001
Details MITRE ATT&CK Techniques 1006 
T1082
Details MITRE ATT&CK Techniques 152 
T1090
Details MITRE ATT&CK Techniques 115 
T1571
Details MITRE ATT&CK Techniques 107 
T1496
Details Url 1 
https://answers.uillinois.edu/illinois/page.php?id=120871
Details Url 2 
https://s1.ai/adload
Details Url 2 
http://m.skilledobject.com/a/rep
Details Url 2 
http://m.browseractivity.com/a/rep
Details Url 2 
http://m.enchantedreign.com/a/rep
Details Url 2 
http://m.activitycache.com/a/rep
Details Url 2 
http://m.activityinput.com/a/rep
Details Url 2 
http://m.opticalupdater.com/a/rep
Details Url 2 
http://m.connectioncache.com/a/rep
Details Url 2 
http://m.analyzerstate.com/a/rep
Details Url 2 
http://m.essencecuration.com/a/rep
Details Url 2 
http://m.microrotator.com/a/rep
Details Url 2 
http://m.articlesagile.com/a/rep
Details Url 2 
http://m.progresshandler.com/a/rep
Details Url 2 
http://m.originalrotator.com/a/rep
Details Url 2 
http://m.productiveunit.com/a/rep
Details Url 2 
http://api.toolenviroment.com/l
Details Url 2 
http://api.inetfield.com/l
Details Url 2 
http://api.operativeeng.com/l
Details Url 2 
http://api.launchertasks.com/l
Details Url 2 
http://api.launchelemnt.com/l
Details Url 2 
http://api.validexplorer.com/l
Details Url 2 
http://api.majorsprint.com/l
Details Url 2 
http://api.essentialenumerator.com/l
Details Url 2 
http://api.transactioneng.com/l
Details Url 2 
http://api.macreationsapp.com/l
Details Url 2 
http://api.commondevice.com/l
Details Url 2 
http://api.compellingagent.com/l
Details Url 2 
http://api.lookupindex.com/l
Details Url 2 
http://api.practicalsync.com/l
Details Url 2 
http://api.accessiblelist.com/l
Details Url 2 
http://api.functionconfig.com/l
Details Url 2 
https://vpnservices.live
Details Url 2 
http://bapp.pictureworld.co
Details Yara rule 8 
rule Macho {
	meta:
		description = "private rule to match Mach-O binaries"
	condition:
		uint32(0) == 0xfeedface or uint32(0) == 0xcefaedfe or uint32(0) == 0xfeedfacf or uint32(0) == 0xcffaedfe or uint32(0) == 0xcafebabe or uint32(0) == 0xbebafeca
}