Malware hidden in ad based images targets Mac

walden, system, systems, walden systems, rita, firewall, port, forward, up, protect, intrusion, security, traffic, DMZ, block, protection, walden systems, walden, systems, network, fire, wall, hack, intrusion, cisco, router, network, switch, hub, IoT, traffic, marriot, data breach, passport, darthminer, crypto, mac
Rita gives you full control of what sites your employees visit. Rita can block sites that eat up your precious bandwidth such as media streaming sites. Rita enables you full control of what sites your employees can and cannot visit. Rita gives you the ability to block undesirable sites by wildcard or by name. Rita gives you the ability to determine which computers will be blocked and which will be allowed. With Rita, you can block access to sensitive servers within your LAN.

An adware attack has infected up to a million Mac users, using a steganography technique to hide malware in image files. Researchers at Confiant and Malwarebytes stated the attacks have been running since Jan. 11, using ads on the web and steganography to spread. Steganography is concealing secret messages, code or information within innocuous-looking text or images. The tactic has been used in several attacks over the past year, including in uploaded images on trusted Google sites and even in memes on Twitter.

In the Mac attack, a victim first comes across an ad with what looks like an ordinary image. In reality, JavaScript malware is hiding within the image file code in the ad. Once clicked, the malicious ad infects the Mac user with the Shlayer trojan, which hides itself as a Flash upgrade and then redirects the victim to an adware installer. The malware acts both as a Trojan and dropper for additional payloads, most notably Adware. Users may notice their machines running slower than normal and may be tricked into purchasing applications that they do not need.


Researchers found almost 200,000 malicious ads so far, and estimate that around 1 million users have been impacted. Confiant estimates the cost impact for just Jan. 11 to have been more than $1.2 million in ad fraud. The hackers has been active for months but only recently began to smuggle malware by way of steganography through the use of image coding.

The Shlayer malware was first discovered by Intego researchers in February 2018, spreading via BitTorrent file sharing sites. Torrent sites are known for distributing malware and adware. The initial trojan horse infection component of OSX/Shlayer took advantage of shell scripts to download additional malware or adware onto the infected system. Since the trojan masquerades as a Flash upgrade, victims are unaware of its malicious intent. Infected computers are redirected to an installer via forced redirects that are targeted specifically to desktop Safari users.

Little is known about the hackers behind the attack. The research team at Confiant and Malwarebytes said that this latest malvertising campaign shows how the tactic continues to evolve as hackers look to distribute malware on a wide scale while staying hidden by obfuscation. As malvertising detection continues to evolve, hackerss are starting to learn that the previous methods of obfuscation are no longer getting the job done. The output of common JavaScript obfuscators is a very particular type of gibberish that can easily be recognized by the naked eye. Tactics like this are useful for smuggling payloads without relying on hex encoded strings or bulky lookup tables.