Apple Users Targeted by Malvertising Group

A malicious advertising (malvertising) group, dubbed “VeryMal,” targeted Apple users in a malvertising campaign that employed steganography to hide malicious code inside advertisements (ads). After clicking on the malicious ad, the embedded JavaScript code forces the browser to navigate to a URL that displays a popup instructing the user to install software updates, often for Adobe Flash Player. These software updates contain a version of the Shlayer MacOS malware. This variant is used as a jumping off point to install additional malware onto a user’s system. The group is believed to have taken control of over five million web sessions from legitimate sites. The NJCCIC advises users to avoid clicking on ads on webpages or in popups, refrain from downloading any software from unofficial channels or sites, and ensure hardware, software, and anti-virus/anti-malware are up-to-date. More information on the VeryMal group and their activities can be found in the Confiant report.