New Shlayer Malware Variant Targeting Macs

Security researchers have found a new variant of a trojan program dubbed Shlayer that infects Mac computers and disables the macOS Gatekeeper security agent.

Shlayer was discovered a year ago by researchers from Intego and was typically distributed through BitTorrent sites under the guise of a Flash Player update warning. What’s interesting about it compared to other Mac malware is that it uses shell scripts to download additional payloads.

A new Shlayer variant was detected recently by Carbon Black’s Threat Analysis Unit (TAU) and while the rogue Flash Player update theme is still used, victims are directed to the rogue warnings through compromised legitimate websites and malicious advertisements. This means the distribution campaigns are more aggressive and widespread and no longer target just users who are actively looking to download content through BitTorrent sites.

“Samples discovered by TAU have been seen to affect versions of macOS from 10.10.5 to 10.14.3,” the Carbon Black researchers said in a report. “The malware employs multiple levels of obfuscation and is capable of privilege escalation.”

The initial dropper comes in the form of a DMG (mountable disk image) file that is signed with a legitimate Apple developer ID. However, the researchers have also seen installers using the .pkg, .iso and .zip formats.

The use of a legitimate code signing certificate obtained through Apple’s developer program is significant because it allows attackers to bypass macOS’ default restrictions and warnings for non-signed installers obtained from the internet. These restrictions are enforced through an OS component called Gatekeeper.

The new Shlayer variant continues to use shell scripts to deploy additional payloads. When the initial DMG image is mounted and the signed installer is run, a .command script stored in a hidden directory inside the volume is also executed.

This triggers an infection chain that involves decrypting and executing additional encoded scripts bundled with the first one. The final script collects system information, generates a unique ID for the infected machine and downloads a secondary malware payload from a remote URL.

This second payload is an .app executable that attempts to escalate privileges to root—the administrative account—using a technique documented by researcher Patrick Wardle in 2017.

“Once the malware has elevated to root privileges, it attempts to download additional software (observed to be adware in the analyzed samples) and disables Gatekeeper for the downloaded software using spctl,” the researchers said. “This allows the whitelisted software to run without user intervention even if the system is set to disallow unknown applications downloaded from the internet.”

Shlayer is proof that macOS malware programs can be as sophisticated as those for Windows and actually use some of the same techniques to bypass the operating system defenses. For example, many Windows malware programs use PowerShell scripts and also have components signed with stolen digital certificates to bypass warnings.

Just like Shlayer disables Gatekeeper on Mac, Windows malware uses known techniques to bypass the User Account Control (UAC) mechanism on Windows that prevents applications from executing with elevated privileges.

Microsoft and Adobe Patch Zero-Day Vulnerabilities

Microsoft and Adobe Systems released their monthly security patches this week and both companies fixed publicly known vulnerabilities in their products.

Microsoft released patches for 74 vulnerabilities, 20 of which are rated critical. Fifteen of the critical flaws are located in the browsers and the Windows scripting engine, which means they can potentially be targeted remotely. The rest are located in the Graphics Device Interface (GDI+), Microsoft SharePoint and Microsoft’s DHCP server.

The company also released patches for an attack technique disclosed in late January that allows attackers to compromise Exchange email servers and gain Domain Admin privileges.

Microsoft published an advisory last week with mitigation instructions for this attack but now has released two patches to address the underlying issues. Companies running Exchange environments should prioritize these updates in their patching plans.

Adobe released updates for Acrobat and Reader, Flash Player, ColdFusion and the Creative Cloud Desktop Application. The Acrobat and Reader patches address 71 flaws, including a zero-day one (CVE-2019-7089) that was disclosed publicly last month and which allows rogue PDF files to expose Windows NTLM credentials to attacker-controlled servers.

Shortly after the Adobe update was released, the researcher who found the initial flaw said that he found a way to bypass the company’s patch.

Featured eBook
Next-Generation Cybersecurity

Next-Generation Cybersecurity

Cyberattacks are always evolving. Cybercriminals continue to discover and exploit new attack vectors and manage to stay one step ahead of cybersecurity. That’s in part because our cybersecurity systems aren’t keeping up: Many organizations continue to rely on legacy systems that were effective for the type of attacks we saw five or 10 years ago ... Read More
Security Boulevard

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at lucian@constantinsecurity.com or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin