Macs running latest OS are vulnerable to Shlayer 2.0

UPDATED A new variant of malware is infecting Apple operating systems by posing as an Adobe Flash software update, researchers at Carbon Black’s Threat Analysis Unit (TAU) have found.

The malware is the latest evolution of OSX/Shlayer and is said to affect versions of macOS from 10.10.5 to 10.14.3 (Mojave).

Like its predecessor, the malware spreads when a user clicks on a malicious web link, typically posing as an Adobe Flash Player upgrade.

From here, a payload is leveraged through a DMG file, where privilege escalation and the downloading of additional malware is possible.

“Many of the initial DMGs are signed with a legitimate Apple developer ID and use legitimate system applications via bash to conduct all installation activity,” Carbon Black wrote in a blog post.

“Although most samples were DMG files, we also discovered .pkg, .iso, and .zip payloads.”

A command script found in a hidden directory is executed as soon as the malicious file is downloaded on the user’s system.

“This script base64 decodes and AES decrypts a second script containing an additional encoded script that is subsequently executed,” Carbon Black explained.

After this stage the malware can escalate privileges through /usr/libexec/security_authtrampoline, Carbon Black said, citing similar attack methods outlined in Patrick Wardle’s 2017 DEFCON talk ‘Death by 1000 Installers’.

“Once the malware has elevated to root privileges, it attempts to download additional software (observed to be adware in the analyzed samples) and disables Gatekeeper for the downloaded software using spctl,” Carbon Black said.

“This allows the whitelisted software to run without user intervention even if the system is set to disallow unknown applications downloaded from the internet.”

The Daily Swig reached out to Carbon Black to see how many users have been affected by OSX/Shlayer since it was first discovered by Mac security experts at Intego in 2018.

“We're still researching the overall prevalence and reach but this campaign appears to have been going on since at least February 2018 and also appears to be relatively widespread,” said Erika Noerenberg, one of Carbon Black's senior threat researchers.

“Historically, there haven't been a lot of eyes on Mac malware and we see this development as a positive step toward additional awareness.”

The TAU has posted a list of indicators to help determine whether a system has been compromised by OSX/Shlayer.

This isn’t the first instance that macOS, typically noted for its robust security, has had its work cut out for it lately.

A report by Trend Micro recently revealed that .exe files were being used by hackers to bypass protections such as Gatekeeper.


This article has been updated to include comments from Carbon Black.