The Shlayer trojan accounted for approximately 30 percent of all of Kaspersky Lab’s malware detections for the macOS platform in 2019.

Kaspersky Lab revealed on Securelist that Shlayer has been the most common threat to target its macOS userbase for the past two years. During that time, one in 10 of the security firm’s macOS solutions encountered the malware at least once.

Shlayer first fell into the hands of Kaspersky back in February 2018. Since that time, its solutions have collected nearly 32,000 different samples of the trojan. They’ve also pinpointed 143 distinct command-and-control (C&C) server domains.

Overall, Shlayer featured in 30% of Kaspersky’s detections for its macOS users over the course of 2019.

Kaspersky’s top 10 detections for macOS between January 2019 and November 2019. (Source: Securelist)

Kaspersky found Shlayer to be “a rather ordinary piece of malware” with primarily Bash-based variants. Even so, its researchers did uncover Trojan-Downloader.OSX.Shlayer.e, a Python-based variant that used a slightly different operation algorithm than its cousins.

This malware version used a DMG file that, when mounted, prompted the user to run an installation file. The installer turned out to be a Python script that generated a user ID and collected information about the machine. The campaign then used that data to generate a .zip archive containing an application package with the executable file 84cd5bba3870. Shlayer ultimately ran that application package before deleting the archive and its unpacked contents.

At the time of its writing, Kaspersky Lab observed Shlayer using its initial infection to download members of the AdWare.OSX.Cimpli family. This threat installed a malicious extension in Safari and used the mitmdump tool as part of its efforts to monitor all user search inquiries.

The trojan was also capable of downloading AdWare.OSX.Bnodlero, AdWare.OSX.Geonei and AdWare. (Read more...)