Cybercriminals have been turning to scripting languages as a preferred means for both dropping malware and executing payloads. The most talked-about macOS malware, Shlayer, has hit the news again recently after being caught abusing Apple’s macOS notarization service.
A headline grabbing threat
In September, SentinelOne researcher Phil Stokes discovered a new variant of Shlayer macOS malware called ZShlayer that obfuscates itself to slip past security tools and compromise a target machine.
- Following Apple’s lead in preferring Zsh to Bash as its default shell language, the new variant employs heavily obfuscated Zsh scripts to avoid detection.
- Active since late-June, this new ZShlayer variant uses a standard Apple application bundle inside the .dmg file.
- Hence, it was able to slip past Apple’s notarizing checks and bombarded users of infected machines with unwanted ads.
Recent Shlayer-slinging campaigns
First found in 2018, Shlayer (aka OSX.Shlayer) malware has been packaged with malicious adware, which has continued to circulate until recent times.
- In July, over 1,000 malicious domains were used to distribute the Shlayer trojan, which installed adware on infected devices.
- In June, masquerading as an Adobe Flash Player installer, Mac malware Shlayer was delivered as a trojan horse via a DMG disk image file.
Abusing Apple’s Notarization service is clear proof that the Shlayer-ZShlayer campaigns are evolving to become more dangerous. Hackers are developing multiple threat campaigns against macOS users. Experts say organizations should use behavioral analysis to detect such sophisticated malware threats.