Researchers from Carbon Black’s Threat Analysis Unit (TAU) detected a new variant of Shlayer trojan that targets macOS. The new variant is distributed as a malicious Adobe Flash software update via fake update pop-ups on hijacked domains or legitimate sites clones or as part of malvertising campaigns running on legitimate websites. This new Shlayer variant disables Gatekeeper protection mechanism on macOS to run additional second-stage payloads.
More details on the new variant
Shlayer samples discovered by the researchers impacts macOS versions 10.10.5 to 10.14.3. The Threat Analysis Unit noted that this Shlayer variant employs multiple levels of obfuscation and is capable of privilege escalation.
TAU noted that most Shlayer samples were DMG files, however, the researchers also noted some samples in PKG, ISO, and ZIP files. Some of the DMGs were also signed with a legitimate Apple developer ID in order to appear legitimate.
“When the DMG is mounted and the installer executed, a .command script is executed from a hidden directory in the mounted volume. This script base64 decodes and AES decrypts a second script containing an additional encoded script that is subsequently executed,” Carbon Black's TAU explained in their blog.
The second script performs the tasks listed below.
The second-stage payload
Once the second-stage payload is downloaded and executed, the malware attempts ‘to escalate privileges with sudo using a technique invoking /usr/libexec/security_authtrampoline’ as discussed by Patrick Wardle in DEFCON 2017 talk ‘Death by 1000 Installers’.
Once the malware has elevated to root privileges, Shlayer attempts to download additional payloads and disables Gatekeeper protection mechanism to run the downloaded payloads using spctl.
“This allows the whitelisted software to run without user intervention even if the system is set to disallow unknown applications downloaded from the internet,” TAU stated.