However, as discussed in the Execution section later in this post, these scripts are still subject to the same Gatekeeper and notarization checks performed by macOS as with any other software executed on the machine.Īs with much of the currently distributed adware, this malware is typically delivered via drive-by advertisements, posing as a fake Adobe Flash or related software updates. These variants still mimic the appearance of traditional application installers, but rather than launching an executable they execute a script that performs the infection.
VMWARE SCRIPT FOR MAC OS CODE
Although the basic behavioral infection chain is the same, the refactoring of infection code with added complexity and use of python rather than basic shell scripts implies the possibility that a different actor has mimicked the functionality of Shlayer in order to divert attention or attribution.Īs with versions of the original variant of Shlayer, many samples make use of script ing (typically bash or AppleScript) rather than traditional installer packages.
However, given the post-infection behavior of these samples, it is unclear whether the same actor set is behind the campaign.
Researchers at Kaspersky recently posted about a set of samples that were found to exhibit very similar behavioral patterns to known Shlayer samples. The chart below shows uploads from the past six months, both original variants detected using behavioral identifiers and all samples identified by at least one antivirus agent as Shlayer:įigure 1 : Known Shlayer uploads, past six monthsĪlthough Shlayer samples are continually being generated and uploaded, and we continue to see active infections in the wild, the basic behavioral indicators have not varied much since the initial samples seen in early 2018. In the past six months, there is still a large number of samples being uploaded publicly. We have continued to see a steady number of infections and samples of Shlayer in the wild over the past year. These tactics are often used by adware and malware to trick the user into installing their software. Many of the sites that we have found to redirect to these fake updates have been those masquerading as legitimate sites, or hijacked domains formerly hosting legitimate sites, and some appear to be redirected from malvertisements on legitimate sites. In November of 2018, VMware Carbon Black’s Threat Analysis Unit (TAU) obtained new samples of this malware and observed downloads of the malware from multiple sites, primarily disguised as an Adobe Flash software update. Shlayer is a family of macOS malware which was first reported in February of 2018 by researchers from Intego. For more information on how VMware Carbon Black’s products protect from these threats, please see the TAU-TIN on our user exchange. Despite minor differences in the variants discovered, the overall behavior of this family of malware has remained the same. Although detection by antivirus vendors has improved over the past year, the malware authors continue to release new samples on a daily basis. Following our initial reporting of this threat, Carbon Black’s Threat Analysis Unit (TAU) has continued following the Shlayer family of malware and monitoring changes adopted by this campaign.
0 kommentar(er)
