Shlayer on the Sly: Packing up some Extra Sneak

For almost two years, Shlayer trojan has been unleashing the Kraken on the macOS platform. 

What’s going on?

Recently, a fresh variant of the trojan has been discovered that uses poisoned Google searches to pick out victims. The malware is disguised as an Adobe Flash Player installer. Once downloaded, the infection is carried out in a crafty way to evade detection.

The crafty malware

  • The new variant is delivered as a trojan horse application on a DMG disk image.
  • After following the installation instructions, the installer app launches. It looks like a normal app but is a bash shell script.
  • The Mac .app is hidden within a password-protected ZIP file, which, in turn, is hidden within a bash shell script. This is a unique strategy adopted by the malware developers to evade detection.

Worth noting

  • Not only Google, but other search engines, such as DuckDuckGo, Bing, Yahoo, Ecosia, and Startpage, are also likely targeted by this malware.
  • Interestingly enough, FlashDownloader, the company name mentioned in the new Shlayer variant is also tied to a web browser with a built-in free VPN for Windows, claiming that a Mac version is on the way.
  • As of now, it remains unclear how many sites are offering this specific variant of the malware and how many types of search results are poisoned.
  • The IOCs for the Shlayer malware can be found here.

The bottom line is that the malware variant is new and the rate of infections has not been deciphered yet. However, going by the notorious history of the Shlayer malware family, it won’t be wrong to state that macOS seems to be a lucrative platform for the threat actors behind it.