A massive adware campaign has so far impacted up to a million Mac users, using a tricky steganography technique to hide malware in image files.
Researchers at Confiant and Malwarebytes said the attacks have been running since Jan. 11, using ads on the web and steganography to spread; steganography being the practice of concealing secret messages, code or information within otherwise innocuous-looking text or images. The tactic has been used in several campaigns over the past year, including in uploaded images on trusted Google sites and even in memes on Twitter.
“The malware acts both as a Trojan (disguised as a Flash Player update) and dropper for additional payloads, most notably Adware,” Jerome Segura, head of Threat Intelligence with Malwarebytes, told Threatpost. “As a result, end users may notice their machines running slower than normal and may be tricked into purchasing applications that they do not need.”
The researchers said they have detected 191,970 bad ads so far, and estimate that around 1 million users have been impacted. Confiant benchmarks the cost impact for just Jan. 11 to have been more than $1.2 million in ad fraud.
“The perpetrators, as it turns out, have been active for months, but only recently have they begun to smuggle in the malware by way of steganography through the use of image coding,” researchers said in a Wednesday post detailing the campaign.
The Shlayer malware was first discovered by Intego researchers in February 2018, spreading via BitTorrent file sharing sites. Torrent sites are known for distributing malware and adware.
“The initial trojan horse infection (the fake Flash Player installer) component of OSX/Shlayer leverages shell scripts to download additional malware or adware onto the infected system,” Intego researchers said in an analysis detailing of the malware.
Because the trojan masquerades as a Flash upgrade, victims are unaware of its malicious intent, Confiant researchers said.
Infected “users are redirected to an installer via forced redirects that are targeted specifically to desktop Safari users,” researchers said.
Eliya Stein, senior security engineer at Confiant, told Threatpost that the campaign is still ongoing but the bad actor regularly rotates its payload and domains.
Little is known about the operator behind the attack, Stein said, except that researchers have dubbed the bad actor “VeryMal,” based on one of its serving domains (veryield-malyst[.]com).
The research team at Confiant and Malwarebytes said that this latest malvertising campaign shows how the tactic continues to evolve as bad actors look to splay malware on a wide scale while staying hidden by obfuscation.