Shlayer Mac Malware Returns with Extra Sneakiness

Trojan malware

Spreading via poisoned Google search results, this new version of Mac’s No. 1 threat comes with added stealth.

A fresh variant of the Shlayer Mac OSX malware with advanced stealth capabilities has been spotted in the wild, actively using poisoned Google search results in order to find its victims.

According to researchers at Intego, the malware, like many malware samples before it, is purporting to be an Adobe Flash Player installer. However, it has its own unique characteristics: It takes a crafty road to infection once it’s downloaded, all in the name of evading detection.

To start with, the masquerading “installer” is downloaded as a .DMG disk image, according to Intego’s analysis.

“After the deceptive Flash Player installer is downloaded and opened on a victim’s Mac, the disk image will mount and display instructions on how to install it,” explained Joshua Long, chief security analyst at Intego, in a posting on Monday.

Oddly, the instructions tell users to first right-click on the Flash Installer and select “Open,” and then to click Open in the resulting dialog box. But this “may be a bit puzzling to many casual Mac users,” Long pointed out. “Unlike typical Windows PCs, there is no obvious right-side button on Apple mice and trackpads. Therefore, novice Mac users may not know how to do the Mac equivalent of a right-click, and therefore may not understand how to run the malware installer script.”

If a user gets past this and follows the instructions, the fake installer app launches. This app comes with a Flash Player icon and looks like a normal Mac app – but it’s actually a bash shell script.

The bash shell sets about running itself in the Terminal app, where it extracts a self-embedded, password-protected .ZIP archive file. Inside the archive lies a Mac .APP bundle, which the installer places into a hidden temporary folder and then launches, before quitting Terminal. This activity happens in a “split second” in order to evade user notice, according to the firm. For a victim, nothing will seem amiss.

Adding to the verisimilitude, the Mac .APP bundle in turn downloads a legitimate, Adobe-signed Flash Player installer, which acts as a cover for the hidden, malicious Mac app operating in the background.

“The developers’ decision to hide the Mac .APP within a password-protected .ZIP file, and to hide that within a bash shell script, is a novel idea—and it is also extremely clear evidence that the developers are trying to evade detection by antivirus software,” Long noted.

The hidden malware can from there lurk on the machine, ready to download any other Mac malware or adware package from a command-and-control (C2) server, whenever the operators feel like it.

“This newly re-engineered malware purports to be a legitimate Flash Player installer, but it has the capability to surreptitiously download and install additional unwanted packages containing adware or spyware,” Long said.

Shalyer last year made its way to the top of the heap when it comes to Mac’s most common threat — It made up 29 percent of all attacks on macOS devices in Kaspersky’s telemetry for 2019, making it the No. 1 Mac malware threat for the year. Previous versions also acted as installers for second-stage malware, and spread via fake apps.

In the latest campaign, to lure victims in, its operators are using poisoned search results – specifically within Google Search. This is a well-worn approach in which malware distributors find vulnerable blogs or other sites with high Google search-engine rankings, compromise them, and add a redirection mechanism that bounces through a number of affiliate links –  ultimately redirecting users to a fake Flash Player landing page. It should be said that although the Shlayer variant in this case was found via Google search results, any search engine is susceptible to the tactic, including Bing, Yahoo!, DuckDuckGo and so on.

“While searching Google for the exact titles of YouTube videos, Intego’s research team encountered Google search results that, when clicked, pass through multiple redirection sites and end up on a page that claims the visitor’s Flash Player is out of date, and displays deceptive warnings and fake dialog boxes to entice the victim to download a supposed Flash Player updater—which is, in fact, a trojan horse,” Long said.

For this specific malware campaign, it remains unclear how many sites are offering the malware and how many varieties of search results are poisoned, Intego said, especially since the malware is brand-new: As of Friday, the new malware installer and its payload had a 0/60 detection rate among all antivirus engines on VirusTotal, researchers found.

The use of poisoned search results, a .DMG image and the gambit of a fake Adobe Flash installer is identical to the M.O. of another malware that Intego discovered, dubbed CrescentCore. This malware appeared last summer, but it used different evasion techniques from the new malware. It also installed malicious Safari browser extensions and dropped bloatware applications like “Advanced Mac Cleaner” on infected devices.

Insider threats are different in the work-from home era. On June 24 at 2 p.m. ET, join the Threatpost edit team and our special guest, Gurucul CEO Saryu Nayyer, for a FREE webinar, “The Enemy Within: How Insider Threats Are Changing.” Get helpful, real-world information on how insider threats are changing with WFH, what the new attack vectors are and what companies can do about itPlease register here for this Threatpost webinar.


Suggested articles