New Shlayer Mac malware spreads via poisoned search engine results

Shlayer Mac malware is back, the Mac threat is now spreading through new black SEO operations.

Researchers spotted a new version of the Shlayer Mac malware that is spreading via poisoned Google search results.

Researchers at security firm Intego observed the new variant being spread masqueraded as a fake Adobe Flash Player installer (.DMG disk image) and implementing fresh advanced evasion capabilities.

“The new malware tricks victims into bypassing Apple’s built-in macOS security protections, and it uses sneaky tactics in an effort to evade antivirus detection.” reads the post published by Intego.

“As of Friday, the new malware installer and its payload had a 0/60 detection rate among all antivirus engines on VirusTotal.”

Upon opening the Flash Player installer, the disk image will mount and display instructions on how to install it.

The instructions tell users to first right-click on the Flash Installer and click Open to launch the fake installer that is actually a bash shell script.

The bash shell script opens and runs itself in the Terminal app, then it extracts a self-embedded, password-protected .zip archive file, which contains a traditional Mac .app bundle. The script installs the Mac app into a hidden temporary folder, then it launches the app and quits the Terminal.

The Mac .APP bundle downloads and executers a legitimate, Adobe-signed Flash Player installer, while executes the malicious Mac app in the background.

“The developers’ decision to hide the Mac .app within a password-protected .zip file, and to hide that within a bash shell script, is a novel idea—and it is also extremely clear evidence that the developers are trying to evade detection by antivirus software.” continues the analysis.

The malware can be used to download other malicious payloads, including malware or adware.

“This newly re-engineered malware purports to be a legitimate Flash Player installer, but it has the capability to surreptitiously download and install additional unwanted packages containing adware or spyware,” continues the analysis.

According to experts from Kaspersky Lab, the Shlayer malware was the most widespread macOS threat in 2019.

In February, malware researchers at Carbon Black spotted a new strain of the Shlayer malware that was targeting MacOS versions from 10.10.5 up to 10.14.3.

The malware was posing as an Adobe Flash update and it was distributed through a large number of websites, fake or compromised legitimate domains.

Unlike other Bash-based macOS malware, the Shlayer family is written in Python, and its operation algorithm is different from other threats.

In the campaign spotted by Intego, the malware spread via poisoned search engine results, including Google, Bing, Yahoo!, DuckDuckGo, Startpage, and Ecosia.

Search engines face numerous challenges in trying to prevent poisoned search results that lead to malware.

“While searching Google for the exact titles of YouTube videos, Intego’s research team encountered Google search results that, when clicked, pass through multiple redirection sites and end up on a page that claims the visitor’s Flash Player is out of date, and displays deceptive warnings and fake dialog boxes to entice the victim to download a supposed Flash Player updater—which is, in fact, a Trojan horse.” continues the analysis.

At the time it is not clear how many sites have been used as part of this campaign to spread the malware.

Additional info about the malware, including Indicators of Compromise (IoCs) are reported in the analysis published by Intego.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Shlayer)

[adrotate banner=”5″]

[adrotate banner=”13″]