Shlayer Mac Malware Evolves
A version of the Shlayer Mac malware with advanced stealth capabilities has been found using poisoned Google search results in order to find its victims. The malware is purporting to be an Adobe Flash Player installer. The difference between Shylayer and other viruses is it has its own unique characteristics. It uses a novel way to infect victims once it is downloaded to evade detection.
The fake installer is downloaded as a .DMG disk image. After the fake Flash Player installer is downloaded and opened on a victim's Mac, the disk image will mount and display instructions on how to install it. The weird this is that the instructions tell users to first right-click on the Flash Installer and select Open and then to click Open in the resulting dialog box. Unlike Windows PCs, there is no obvious right-side button on Apple mice and trackpads. Therefore, novice Mac users may not know how to do the Mac equivalent of a right-click, and may not understand how to run the malware installer script.
This app comes with a Flash Player icon and looks like a regular Mac app but it's actually a bash shell script. The bash shell sets about running itself in the Terminal app, where it extracts a self-embedded, password-protected .ZIP archive file. Inside the archive lies a Mac .APP bundle, which the installer places into a hidden, temporary folder and then launches, before quitting Terminal. This activity happens in a blink of an eye to prevent users noticing. The Mac .APP bundle also downloads a legitimate, Adobe-signed Flash Player installer, which covers up the hidden, malicious app operating in the background.
The hidden malware can hide in the machine, ready to download any other Mac malware or adware package from a command-and-control (C2) server, whenever the hackers feel like it. Shalyer last year made its way to the top of Mac's most common threat. It made up 29 percent of all attacks on macOS devices in Kaspersky's telemetry in 2019. Previous versions also acted as installers for second-stage malware, and spread through fake apps.
It's unclear how many sites are offering the malware and how many varieties of search results are poisoned. The new malware installer and its payload has a 0 out of 60 detection rate among all antivirus engines on VirusTotal. The use of poisoned search results, a .DMG image and a fake Adobe Flash installer is identical to the M.O. of another malware dubbed CrescentCore. This malware appeared last summer, but it used different evasion techniques from the new malware. It also installed malicious Safari browser extensions and dropped bloatware applications like Advanced Mac Cleaner on infected devices.