Remove AdLoad Malware from Mac (Virus Removal Guide)

Adload malware pushes new versions using different names

Adload is an aggressive malware infection that targets Mac OS X users. It acts as an adware and tends to hide itself under a variety of different names in the system, such as ConnectedPlatform, UpdaterSync, ExecutiveOperation, UltraLocator and others. The way this malware works is it leverages Man-in-The-Middle attack by installing web proxy that redirects user’s web traffic through the attacker’s chosen servers. This virus differs from usual ad-serving programs since it is hard to remove – it tends to leave backdoor access to your system that later can be exploited to install additional adware. The latest known versions of this adware are named as TypicalInput, AdminLink, OperativeMachine, AnySearchManager.

Adload adware has the capability of avoiding integrated macOS security systems as well as various third-party anti-virus software programs. The main thing that this program does is browser hijacking – promoting fake search engines and changing default browser settings.

This malware is certainly not new – the first variants of this malicious software were discovered in late 2017.

As mentioned earlier, the creators of this adware have a tendency to change the name of the software to make it even harder to identify and remove it. However, researchers have observed a certain pattern that is used to name this virus. You can find the list down below, but generally, this type of adware tends to use words ‘lookup’, ‘datasearch’, ‘results’ within its name. Be sure to check the software that is present in your system if it contains these words in its name.

Adware uses helper components to stay on infected system

To understand why Adload adware is difficult to deal with, you must understand how it works. Once present in your system, it stores its files in various places – some of these files might be found easily, others are designed to be more elusive and hard to find. It is important to mention, that these actions could be taken only then when the victim provides the admin’s password. The adware operated by placing its two LaunchDaemon files in the local domain Library and the LaunchAgent file in the local user Library.

For example, if this malicious software uses ‘SearchRange’ name, it stores ‘com.SearchRange.plist’ file in ‘~/Library/LaunchAgents/’ directory and targets the .exe file in ‘~/Library/Application Support/com.SearchRange/SearchRange’.

The program then proceeds to store ‘com.SearchRangeDaemon.plist’ in ‘~/Library/LaunchDaemons/’, that aims at ‘~/Library/Application Support/com.SearchRangeDaemon/SearchRange’ as well as ‘com.SearchRangeP.plist’ in ‘~/Library/LaunchDaemons/’ – this targets the Mach-O executable file ‘SearchRangeDaemon’ in ‘/var/root/.SearchQuest/SearchRangeDaemon’ directory.

The last file triggers a python script (‘SearchRange.py’) that creates a connection with a remote host. To maintain the effective working of the adware, it creates a hidden directory ‘/var/root/.mitmproxy’. In addition, Adload virus installs user cronjob and a .exe file in a subfolder of the user’s Library Application Support folder.

The subfolder has a UUID-like hex pattern of 8-4-4-4-12 characters, and the executable inside it has a name with a different UUID-like hex with the same 8-4-4-4-12 pattern. This code is designed to run every 2 hours and 30 minutes. This way, the developers of adware get to push their preferred websites to the victims. The main benefit gained from this situation is financial – hackers get revenue from you visiting certain types of websites.

Removing Adload software manually might be a bothersome task since you would need to delete all the associated files such as launch agent, cron job files, daemon, and processes in ‘/var/root’. Moreover, there is a high chance that the adware will recreate some of these files while you try to find a way how to remove Adload from your system. In theory, after a few attempts of manually removing it, you should be able to do it. Instructions on how to do it will be given down below.

This adware is also suspected of installing additional adware and other types of malware, but the direct connections are not proven yet.

Infection method

Typically, malicious software like Adload tends to spread through various rogue installers of Potentially Unwanted Applications. These installers are proliferated through various unofficial, unverified websites that trick people into downloading and execute certain types of files.

Adware also spreads through popups that are shown when you click on a suspicious ad or visit an untrustworthy site. It asks for you to allow notifications or add an extension to your browser and if you accept, most likely your default browser settings will be changed. This is done in order to promote fake search engines and certain websites that generate revenue for the developers.

Adware developers also use weaknesses in your outdated software to intrude into your system. For example, if Java on your computer is outdated, it could be exploited as backdoor access to your system under certain circumstances.

Adware-like malware like Adload might also come in through software bundling – a practice in which the PUPs (Potentially Unwanted Programs) might be appended to other software user wants to install. This especially counts for people who tend to skip through installation processes and be inattentive in general.

Adload is also found alongside other Adware/PUA installations known as ‘Mughthesec’, ‘Souter’, ‘MMInstall’, and ‘MMProt’. All of these adware programs follow the same pattern – it redirects you to a scam website that urges to download Flash Player or other programs. The installation instructions are created in a way to bypass Apple’s built-in Gatekeeper and XProtect security system.

Avoiding adware installation

It is important to realize, that in order to avoid installing adware-like programs such as Adload, you need to generally pay attention to what you are doing on the internet. For example, never interact with ads that are intrusive or suspicious-looking. Do not press on popups and never accept to get notifications or add an extension to your browser if you are not sure that the source behind it is trustworthy. 

Try to avoid any downloads from untrustworthy, unverified file-sharing platforms and websites. These sites might contain programs that use software bundling practices. When you are installing software that is downloaded from the internet, pay close attention to the installation process itself. Always check the Advanced/Custom options, usually, this is the place where people get tricked into adding adware into their system. 

Keep all of your software and anti-virus programs up to date as well. This is extremely important since cybercriminals often try to exploit weaknesses due to outdated software.

Remove Adload malware from Mac

If you see any signs of being infected with this sort of adware-type malware, do not delay Adload malware removal. You should take immediate action to eliminate it from your system before it deals any more damage. It might cause more severe consequences than irritating browser experience if not taken care of as soon as possible. The instructions down below will help you to deal with this situation.

We strongly recommend using Malwarebytes for Mac to remove Adload malware from your computer. You can find additional manual removal instructions below this article.

Adload malware variants

Matt Corey

Matt Corey is passionate about the latest tech news, gadgets and everything IT. Matt loves to criticize Windows and help people solve problems related to this operating system. When he’s not tinkering around with new gadgets he orders, he enjoys skydiving, as it is his favorite way to clear his mind and relax.