Shlayer macOS Malware Installed via Fraudulent Flash Player Update
Intego researchers discovered multiple variants of a new macOS malware, dubbed Shlayer. This malware is currently distributed via BitTorrent file sharing sites, masquerading as a fake Adobe Flash Player update. The malware leverages shell scripts to install MacOffers or Bundlore adware as a secondary payload to generate ad revenue for the threat actor behind the infection. There are three Shlayer variants that differ slightly from one another: Shlayer.A, which uses two code-signed shell scripts; Shlayer.B, which uses one code-signed shell script and one unsigned Mach-O app; and Shlayer.C, which uses one code-signed shell script. The malware also scans compromised hosts for one of several macOS antivirus products. The NJCCIC recommends macOS users and administrators review the Intego report and scan their networks for the Shlayer Indicators of Compromise (IoCs) provided. If an infected system is identified, isolate it from the network immediately and thoroughly clean or reimage the system’s hard drive before recommissioning it. Additionally, users are discouraged from downloading any Flash Player updates from unexpected alerts received while browsing the internet as this is a common attack vector for malware campaigns.