‘VeryMal’ malvertising campaign targets Mac users with Shlayer trojan

• Threat actors conducted this malvertising campaign from January 11 to January 13, 2019.
• The malicious campaign was capable of infecting as many as 5 million Mac users a day.

A new malvertising campaign dubbed as ‘VeryMal’ has been affecting a million Mac users with the Shlayer trojan. This latest campaign employs steganography technique to hide malicious code inside ad images to avoid detection.

The campaign has been named after one of the attackers’ ad serving domains veryield-malyst[.]com. According to a report from a security firm Confiant, threat actors conducted this malvertising campaign from January 11 to January 13, 2019. The malicious campaign was capable of infecting as many as 5 million Mac users a day.

Modus Operandi

The infection process begins with a message that tells the internet users that their Flash Player is out of date and redirects them to a malicious link. The link contains an ad with an image of a small white bar. This white bar image contains a JavaScript code which enables the attackers to checks if the user’s machine support Apple fonts. It it does not find any such fonts on the machine, then the program gets terminated automatically. This is made possible via steganography technique.

“In fact, the steganography comes into play in order to deliver only part of the payload, and the image needs to be processed in order for that piece to be extracted and then utilized. The image alone will not harm your computer or redirect your browser,” said Eliya Stein, a researcher at Confiant.

If visitors click on the image, then the Shlayer trojan gets downloaded on the device without their knowledge. The Shlayer trojan masquerades as Fake Flash updates in order to infect Mac users.

Commenting on the technique used in the campaign, Stein said, “The output of common JavaScript obfuscators is a very particular type of gibberish that can easily be recognized by the naked eye. Techniques like steganography are useful for smuggling payloads without relying on hex encoded strings or bulky lookup tables.”

While the January campaign of ‘VeryMal’ targeted Mac users, Confiant research claims that the operators of ‘VeryMal’ had targeted iOS users in their previous campaigns.