Threat Management, Malware, Network Security

Variant of Mac malware ‘Shlayer’ spreads via poisoned web searches

Researchers have discovered a new variant of Shlayer Mac malware that  bypasses Apple’s built-in security protections and is being spread via malicious results from Google web searches.

Shlayer is used generally to distributed bundled adware or unwanted programs. According to a company blog post from Intego, the new version of this malware was observed being delivered via a weaponized Apple Disk Image (.dmg) file, disguised as an installer for Adobe Flash Player.

macOS device owners searching via Google for certain YouTube video titles could fall victim to this scheme, as malicious actors have used search poisoning techniques to develop malicious results for these inquiries. Users who click on these results will be taken to various redirection sites until they land on a page that falsely claims their Flash Player is outdated and encourage them to download and install an update. This so-called update, however, is the aforementioned trojanized .dmg file.

"While the installer has a Flash Player icon and looks like a normal Mac app, it's actually a bash shell script that will briefly open and run itself in the Terminal app," explains the Intego blog post, authored by Chief Security Analyst Joshua Long. "As the script runs, it extracts a self-embedded, password-protected .zip archive file, which contains a traditional (though malicious) Mac .app bundle. After installing the Mac app into a hidden temporary folder, it launches the Mac app and quits the Terminal. All this takes place within a split second."

"Once the Mac app launches, it downloads a legitimate, Adobe-signed Flash Player installer, so that it can appear to be genuine -- but the hidden Mac app is designed to also have the capability to download any other Mac malware or adware package, at the discretion of those controlling the servers to which the hidden Mac app phones home," Long continues.

Long calls the malware developers' use of the bash shell script a "novel idea" that indicates that the adversaries are trying to evade antivirus detection. Additionally, during the installation process, users are instructed to "right-click" on the fake Flash installer and select the "Open" command.

This right-click technique was introduced to avoid users from double-clicking on the fake installer, which would have opened a dialog box stating that the app can't be opened because the developer is unverified. Instead, users receive a different dialog box -- one that says the developer is not verified, but still gives the option to open the app.

"In this case, the malware makers are hoping you’ll ignore Apple’s fine print and instead blindly follow the malware maker’s instructions from the disk image background instead," writes Long.

Intego notes that the company distributing the disguised Shlayer variant calls itself FlashDownloader and lists its contact information as info@flashdownloader[.]pro. "The domain flashdownloader[.]pro was registered on June 8, 2020, just days before the malware was first observed in the wild," the blog post states.

Intego also reports that the same company also claims to offer a web browser with a built-in free VPN for Windows, with a Mac version coming soon.

An In-Depth Guide to Network Security

Get essential knowledge and practical strategies to fortify your network security.
Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds