New Shlayer variant disables Gatekeeper protection mechanism to run second-stage payloads

• The new Shlayer variant is distributed as a malicious Adobe Flash software update via fake update pop-ups on hijacked domains or legitimate sites clones.
• This new variant impacts macOS versions 10.10.5 to 10.14.3 and is capable of privilege escalation.

Researchers from Carbon Black’s Threat Analysis Unit (TAU) detected a new variant of Shlayer trojan that targets macOS. The new variant is distributed as a malicious Adobe Flash software update via fake update pop-ups on hijacked domains or legitimate sites clones or as part of malvertising campaigns running on legitimate websites. This new Shlayer variant disables Gatekeeper protection mechanism on macOS to run additional second-stage payloads.

More details on the new variant

Shlayer samples discovered by the researchers impacts macOS versions 10.10.5 to 10.14.3. The Threat Analysis Unit noted that this Shlayer variant employs multiple levels of obfuscation and is capable of privilege escalation.

TAU noted that most Shlayer samples were DMG files, however, the researchers also noted some samples in PKG, ISO, and ZIP files. Some of the DMGs were also signed with a legitimate Apple developer ID in order to appear legitimate.

“When the DMG is mounted and the installer executed, a .command script is executed from a hidden directory in the mounted volume. This script base64 decodes and AES decrypts a second script containing an additional encoded script that is subsequently executed,” Carbon Black's TAU explained in their blog.

The second script performs the tasks listed below.

• Collects system information such as the macOS version and IOPlatformUUID (a unique identifier for the system).
• Generates a 'Session GUID' using uuidgen.
• Creates a custom URL using the information generated in the previous two steps and downloads the second stage payload.
• Attempts to download the zip file payload using curl.
• Creates a directory in '/tmp' to store the payload and unzips the password-protected payload.
• Makes the binary within the unzipped .app executable using chmod +x.
• Executes the payload using open with the arguments 's', '$session_guid'. and '$volume_name'.
• Executes killall Terminal to kill the running script’s terminal window.

The second-stage payload

Once the second-stage payload is downloaded and executed, the malware attempts ‘to escalate privileges with sudo using a technique invoking /usr/libexec/security_authtrampoline’ as discussed by Patrick Wardle in DEFCON 2017 talk ‘Death by 1000 Installers’.

Once the malware has elevated to root privileges, Shlayer attempts to download additional payloads and disables Gatekeeper protection mechanism to run the downloaded payloads using spctl.

“This allows the whitelisted software to run without user intervention even if the system is set to disallow unknown applications downloaded from the internet,” TAU stated.