A new Shlayer malware variant has been detected that infects Mac computers and disables macOS Gatekeeper security software.
The latest version of the malware was identified by researchers at Carbon Black and appears to only target MacOS versions from 10.10.5 to 10.14.3.
Shlayer malware is distributed via fake Flash Player updates. Warnings are generated when visiting websites advising the user that their Flash Player is out of date and that it requires an urgent security update. A year ago, when the malware was first identified, the Flash Player warnings were displayed to users visiting BitTorrent websites. The latest campaign uses malicious adverts served through third-party ad networks on legitimate websites – otherwise known as malvertising.
Users are told to download the update, which is delivered as DMG, ISO, PKG, or ZIP file. Carbon Black notes that the DMG file is signed with a legitimate Apple developer ID which avoids the generation of warnings. When mounted and executed, a hidden command script is launched, which in turn decrypts a second script. A further script installs the malicious payload.
One installed, system information is collected. A custom ID is created using harvested data and a second stage payload – an app file – is downloaded from a remote URL and executed.
Shlayer malware gains root privileges and tries to download additional malicious software. The sample intercepted by Carbon black downloaded adware onto the infected device. The malware also disables Gatekeeper using spctl, which allows additional payloads to be run undetected and without any user interaction.
While the initial campaign targeted a small subset of users that download files via Torrents sites, the latest campaign targets a much broader range of users and is more likely to be encountered through general web browsing.
Naturally, if you encounter a warning about Flash Player being out of date, visit the official Adobe website to check whether an update is required. Never download software updates in response to warnings received when browsing the internet.