New macOS Malware Variant Goes Unnoticed by Antivirus Scanners

Cybercriminals have been turning to scripting languages as a preferred means for both dropping malware and executing payloads. The most talked-about macOS malware, Shlayer, has hit the news again recently after being caught abusing Apple’s macOS notarization service.

A headline grabbing threat

In September, SentinelOne researcher Phil Stokes discovered a new variant of Shlayer macOS malware called ZShlayer that obfuscates itself to slip past security tools and compromise a target machine.
  • Following Apple’s lead in preferring Zsh to Bash as its default shell language, the new variant employs heavily obfuscated Zsh scripts to avoid detection.
  • Active since late-June, this new ZShlayer variant uses a standard Apple application bundle inside the .dmg file.
  • Hence, it was able to slip past Apple’s notarizing checks and bombarded users of infected machines with unwanted ads.

Recent Shlayer-slinging campaigns

First found in 2018, Shlayer (aka OSX.Shlayer) malware has been packaged with malicious adware, which has continued to circulate until recent times.
  • In July, over 1,000 malicious domains were used to distribute the Shlayer trojan, which installed adware on infected devices.
  • In June, masquerading as an Adobe Flash Player installer, Mac malware Shlayer was delivered as a trojan horse via a DMG disk image file.

Worth noting

Abusing Apple’s Notarization service is clear proof that the Shlayer-ZShlayer campaigns are evolving to become more dangerous. Hackers are developing multiple threat campaigns against macOS users. Experts say organizations should use behavioral analysis to detect such sophisticated malware threats.