Shlayer

Shlayer is a macOS malware discovered by Intego researchers. The malware, disguised as a fake Adobe Flash Player update, spreads via BitTorrent file sharing sites when a user attempts to select a link to copy a torrent magnet link.  The malware leverages shell scripts to install MacOffers or Bundlore adware – used to generate ad revenue for the threat actor behind the infection – as a secondary payload. There are three Shlayer variants that differ slightly from one another: Shlayer.A uses two code-signed shell scripts; Shlayer.B uses one code-signed shell script and one unsigned Mach-O app; and Shlayer.C uses one code-signed shell script. The malware also scans compromised hosts for one of several macOS anti-virus products. 

Technical Details

  • Additional technical details, including IoCs, are provided by Intego here.