Stealthy malware can go unnoticed by antivirus scanners
Researchers have discovered a new Shlayer macOS malware variant which obfuscates itself to sneak past security tools and compromise a target machine.
Dubbed ‘ZShlayer’, the variant does not conform to the original Shlayer signatures, meaning that it can go unnoticed by some malware scanners.
Notably, ZShlayer heavily obfuscates Zsh scripts to disguise itself.
Earlier versions of the original Shlayer malware came as shell script executables on a removable .DMG disk image. This new variant comes using a standard Apple application bundle inside the .DMG.
A blog post from Phil Stokes, threat researcher at SentinelOne, who discovered the strain, reads: “Although bypassing Apple’s Notarization checks is obviously a headline grabber, this new variant of Shlayer utilizes heavily obfuscated Zsh scripts and is in fact far more prolific in the wild.”
Stokes discovered the variant while threat hunting on Virus Total, he said. The post explains in more detail how the Zsh eventually unpacks into Shlayer malware.
He told The Daily Swig: “Implications are that users’ security tools may not recognize the initial infected application bundle as malware as it doesn’t conform to Shlayer signatures.”
Fortunately, it seems that ZShlayer infections are currently isolated to users who have downloaded illicit software outside of Apple’s official App Store ecosystem.
He added: “Most ZShlayer droppers that I saw are in trojanized cracked software, so the usual caveat applies about avoiding downloading pirated versions of products.”
Shlayer, malware which poses as an Adobe Flash software update before infecting Apple operating systems, was first discovered back in February 2019.
It recently resurfaced after it was found to slip past Apple’s notarizing checks.
The campaign was spotted by Twitter user Peter Dantini, who passed on his findings to Mac security expert Patrick Wardle.
The attack represents what’s thought to be the first time that malicious code has gained Apple’s notarization “stamp of approval”.
Apple responded promptly to reports of malfeasance by revoking the developer code-signing certificate abused in the Shlayer-slinging campaign.