1. Home
  2. Software
  3. OSX/Shlayer

OSX/Shlayer

OSX/Shlayer is a Trojan designed to install adware on macOS that was first discovered in 2018.[1][2]

ID: S0402
Associated Software: Zshlayer, Crossrider
Type: MALWARE
Platforms: macOS
Version: 1.4
Created: 29 August 2019
Last Modified: 30 August 2023

Associated Software Descriptions

Name Description
Zshlayer

[3]
Crossrider

[4][5]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1036 .005 伪装: Match Legitimate Name or Location

OSX/Shlayer can masquerade as a Flash Player update.[1][2]
Enterprise T1140 反混淆/解码文件或信息

OSX/Shlayer can base64-decode and AES-decrypt downloaded payloads.[1] Versions of OSX/Shlayer pass encrypted and password-protected code to openssl and then write the payload to the /tmp folder.[3][6]
Enterprise T1059 .004 命令与脚本解释器: Unix Shell

OSX/Shlayer can use bash scripts to check the macOS version, download payloads, and extract bytes from files. OSX/Shlayer uses the command sh -c tail -c +1381... to extract bytes at an offset from a specified file. OSX/Shlayer uses the curl -fsL "$url" >$tmp_path command to download malicious payloads into a temporary directory.[1][3][6][7]
Enterprise T1083 文件和目录发现

OSX/Shlayer has used the command appDir="$(dirname $(dirname "$currentDir"))" and $(dirname "$(pwd -P)") to construct installation paths.[3][6]
Enterprise T1222 .002 文件和目录权限修改: Linux and Mac File and Directory Permissions Modification

OSX/Shlayer can use the chmod utility to set a file as executable, such as chmod 777 or chmod +x.[6][1][8]
Enterprise T1176 浏览器扩展

OSX/Shlayer can install malicious Safari browser extensions to serve ads.[4][5]
Enterprise T1548 .004 滥用权限提升控制机制: Elevated Execution with Prompt

OSX/Shlayer can escalate privileges to root by asking the user for credentials.[1]
Enterprise T1204 .002 用户执行: Malicious File

OSX/Shlayer has relied on users mounting and executing a malicious DMG file.[1][2]
Enterprise T1082 系统信息发现

OSX/Shlayer has collected the IOPlatformUUID, session UID, and the OS version using the command sw_vers -productVersion.[1][3]
Enterprise T1105 输入工具传输

OSX/Shlayer can download payloads, and extract bytes from files. OSX/Shlayer uses the curl -fsL "$url" >$tmp_path command to download malicious payloads into a temporary directory.[1][3][6][7]
Enterprise T1564 隐藏伪装

OSX/Shlayer has used the mktemp utility to make random and unique filenames for payloads, such as export tmpDir="$(mktemp -d /tmp/XXXXXXXXXXXX)" or mktemp -t Installer.[3][6][8]
.001 Hidden Files and Directories

OSX/Shlayer has executed a .command script from a hidden directory in a mounted DMG.[1]
.009 Resource Forking

OSX/Shlayer has used a resource fork to hide a compressed binary file of itself from the terminal, Finder, and potentially evade traditional scanners.[9][10]
.011 Ignore Process Interrupts

OSX/Shlayer has used the nohup command to instruct executed payloads to ignore hangup signals.[8]
Enterprise T1553 .001 颠覆信任控制: Gatekeeper Bypass

If running with elevated privileges, OSX/Shlayer has used the spctl command to disable Gatekeeper protection for a downloaded file. OSX/Shlayer can also leverage system links pointing to bash scripts in the downloaded DMG file to bypass Gatekeeper, a flaw patched in macOS 11.3 and later versions. OSX/Shlayer has been Notarized by Apple, resulting in successful passing of additional Gatekeeper checks.[1][8][7]

References

  1. Carbon Black Threat Analysis Unit. (2019, February 12). New macOS Malware Variant of Shlayer (OSX) Discovered. Retrieved August 8, 2019.
  2. Long, Joshua. (2018, February 21). OSX/Shlayer: New Mac malware comes out of its shell. Retrieved August 28, 2019.
  3. Phil Stokes. (2020, September 8). Coming Out of Your Shell: From Shlayer to ZShlayer. Retrieved September 13, 2021.
  4. Vrijenhoek, Jay. (2018, April 24). New OSX/Shlayer Malware Variant Found Using a Dirty New Trick. Retrieved September 6, 2019.
  5. Reed, Thomas. (2018, April 24). New Crossrider variant installs configuration profiles on Macs. Retrieved September 6, 2019.
  1. Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
  2. Patrick Wardle. (2020, August 30). Apple Approved Malware malicious code ...now notarized!? #2020. Retrieved September 13, 2021.
  3. Jaron Bradley. (2021, April 26). Shlayer malware abusing Gatekeeper bypass on macOS. Retrieved September 22, 2021.
  4. Erika Noerenberg. (2020, June 29). TAU Threat Analysis: Bundlore (macOS) mm-install-macos. Retrieved October 12, 2021.
  5. Phil Stokes. (2020, November 5). Resourceful macOS Malware Hides in Named Fork. Retrieved October 12, 2021.