A massive adware campaign has so far impacted up to a million Mac users, using a tricky steganography technique to hide malware in image files.
Researchers at Confiant and Malwarebytes said the attacks have been running since Jan. 11, using ads on the web and steganography to spread; steganography being the practice of concealing secret messages, code or information within otherwise innocuous-looking text or images. The tactic has been used in several campaigns over the past year, including in uploaded images on trusted Google sites and even in memes on Twitter.
In the Mac campaign, a victim first comes across an ad harboring an image – however, in reality, JavaScript malware is hiding within the image-file code in the ad. Once clicked, the malicious ad infects the Mac user with the Shlayer trojan, which masquerades as a Flash upgrade and in turn redirects the victim to an adware installer.
“The malware acts both as a Trojan (disguised as a Flash Player update) and dropper for additional payloads, most notably Adware,” Jerome Segura, head of Threat Intelligence with Malwarebytes, told Threatpost. “As a result, end users may notice their machines running slower than normal and may be tricked into purchasing applications that they do not need.”
The researchers said they have detected 191,970 bad ads so far, and estimate that around 1 million users have been impacted. Confiant benchmarks the cost impact for just Jan. 11 to have been more than $1.2 million in ad fraud.
“The perpetrators, as it turns out, have been active for months, but only recently have they begun to smuggle in the malware by way of steganography through the use of image coding,” researchers said in a Wednesday post detailing the campaign.
Shlayer Malware
The Shlayer malware was first discovered by Intego researchers in February 2018, spreading via BitTorrent file sharing sites. Torrent sites are known for distributing malware and adware.
“The initial trojan horse infection (the fake Flash Player installer) component of OSX/Shlayer leverages shell scripts to download additional malware or adware onto the infected system,” Intego researchers said in an analysis detailing of the malware.
Because the trojan masquerades as a Flash upgrade, victims are unaware of its malicious intent, Confiant researchers said.
Infected “users are redirected to an installer via forced redirects that are targeted specifically to desktop Safari users,” researchers said.
Eliya Stein, senior security engineer at Confiant, told Threatpost that the campaign is still ongoing but the bad actor regularly rotates its payload and domains.
Malvertising Evolution
Little is known about the operator behind the attack, Stein said, except that researchers have dubbed the bad actor “VeryMal,” based on one of its serving domains (veryield-malyst[.]com).
The research team at Confiant and Malwarebytes said that this latest malvertising campaign shows how the tactic continues to evolve as bad actors look to splay malware on a wide scale while staying hidden by obfuscation.
“As malvertising detection continues to mature, sophisticated attackers are starting to learn that obvious methods of obfuscation are no longer getting the job done,” they said. “The output of common JavaScript obfuscators is a very particular type of gibberish that can easily be recognized by the naked eye. Tactics like this are useful for smuggling payloads without relying on hex encoded strings or bulky lookup tables.”