Go to listing page

New macOS Malware Variant Goes Unnoticed by Antivirus Scanners

New macOS Malware Variant Goes Unnoticed by Antivirus Scanners
Cybercriminals have been turning to scripting languages as a preferred means for both dropping malware and executing payloads. The most talked-about macOS malware, Shlayer, has hit the news again recently after being caught abusing Apple’s macOS notarization service.

A headline grabbing threat

In September, SentinelOne researcher Phil Stokes discovered a new variant of Shlayer macOS malware called ZShlayer that obfuscates itself to slip past security tools and compromise a target machine.
  • Following Apple’s lead in preferring Zsh to Bash as its default shell language, the new variant employs heavily obfuscated Zsh scripts to avoid detection.
  • Active since late-June, this new ZShlayer variant uses a standard Apple application bundle inside the .dmg file.
  • Hence, it was able to slip past Apple’s notarizing checks and bombarded users of infected machines with unwanted ads.

Recent Shlayer-slinging campaigns

First found in 2018, Shlayer (aka OSX.Shlayer) malware has been packaged with malicious adware, which has continued to circulate until recent times.
  • In July, over 1,000 malicious domains were used to distribute the Shlayer trojan, which installed adware on infected devices.
  • In June, masquerading as an Adobe Flash Player installer, Mac malware Shlayer was delivered as a trojan horse via a DMG disk image file.

Worth noting

Abusing Apple’s Notarization service is clear proof that the Shlayer-ZShlayer campaigns are evolving to become more dangerous. Hackers are developing multiple threat campaigns against macOS users. Experts say organizations should use behavioral analysis to detect such sophisticated malware threats.

Cyware Publisher