Pierluigi Paganini January 27, 2020

Malware authors continue to show interest in macOS devices, Kaspersky experts confirmed that the Shlayer malware has been the most common threat to the macOS platform.

Security experts from Kaspersky Lab revealed that the Shlayer malware was the most widespread macOS threat in 2019.

In February, malware researchers at Carbon Black spotted a new strain of the Shlayer malware that was targeting MacOS versions from 10.10.5 up to 10.14.3.

The malware was posing as an Adobe Flash update and it was distributed through a large number of websites, fake or compromised legitimate domains.

This variant of the Shlayer malware employs multiple levels of obfuscation, experts discovered that many of the initial DMGs are signed with a legitimate Apple developer ID.

The malware installs Any Search bar on the targeted Mac device to deploy adware, it also intercepts and collects browser data and it is able to alter search results to deliver malicious ads.

According to Kaspersky, in 2019, one in ten of our Mac security solutions encountered this malware at least once.

“For close to two years now, the Shlayer Trojan has been the most common threat on the macOS platform: in 2019, one in ten of our Mac security solutions encountered this malware at least once, and it accounts for almost 30% of all detections for this OS.” reads the analysis published by Kaspersky. “The first specimens of this family fell into our hands back in February 2018, and we have since collected almost 32,000 different malicious samples of the Trojan and identified 143 C&C server domains.”

The malware was used to deliver multiple adware including AdWare.OSX.Cimpli, AdWare.OSX.Bnodlero, AdWare.OSX.Pirrit, and AdWare.OSX.Geonei.

Experts pointed out that the infection process of Shlayer malware hasn’t changed over the time and the malicious code has remained active throughout 2019.

Unlike other Bash-based macOS malware, the Shlayer family is written in Python, and its operation algorithm is different from other threats.

Shlayer is used only as the initial stage of the attack because it penetrates the system, loads the main payload, and runs it.

“The negative consequences for the user can be seen by investigating the AdWare.OSX.Cimpli family, which was being actively downloaded by the Trojan at the time of writing.” continues the report. ” But in actual fact, Cimpli performs several actions unseen by the user. First, it installs a malicious extension in Safari, hiding the OS security notification behind a malware fake window. By clicking on the buttons in the notification, the user in effect agrees to install the extension.”

The researchers detailed one of the extensions downloaded and installed by the malware that is called Management. The extension monitors user searches and redirects them to the address hxxp://lkysearchex41343-a.akamaihd[.]net/as?q=c by injecting the script script.js in the browser pages. The malicious code also loads the mitmdump tool, which is packed using PyInstaller.

Most Shlayer infection attempts were observed in the U.S. (31%), followed by Germany (14%), France (10%), and the UK (10%).

“Having studied the Shlayer family, we can conclude that the macOS platform is a good source of revenue for cybercriminals.” concludes the report. “The Trojan links even reside on legitimate resources — attackers are adept in the art of social engineering, and it is hard to predict how sophisticated the next deception technique will be.”

Pierluigi Paganini

(SecurityAffairs – Shlayer, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]