Shlayer is a macOS malware discovered by Intego researchers. The malware, disguised as a fake Adobe Flash Player update, spreads via BitTorrent file sharing sites when a user attempts to select a link to copy a torrent magnet link.  The malware leverages shell scripts to install MacOffers or Bundlore adware – used to generate ad revenue for the threat actor behind the infection – as a secondary payload. There are three Shlayer variants that differ slightly from one another: Shlayer.A uses two code-signed shell scripts; Shlayer.B uses one code-signed shell script and one unsigned Mach-O app; and Shlayer.C uses one code-signed shell script. The malware also scans compromised hosts for one of several macOS anti-virus products. 

Reporting & Technical Details

  • Additional technical details, including IoCs, are provided by Intego here.

  • January 2019: Malvertising group VeryMal delivered Shlayer to users via fraudulent software updates. (Confiant)

  • February 2019: New Shlayer variant disables macOS Gatekeeper to run unsigned payloads. (Carbon Black)

MacOS MalwareNJCCICshlayer