Summary For nearly two years now, the Shlayer Trojan has been the most widely recognized danger on the Mac OS: in 2019, one out of ten of our Mac security arrangements experienced this malware in some measures once, and it represents practically 30% of all locations for this OS. The initial examples of this family has been caught into our hands back in February 2018, and we have since gathered nearly 32,000 diverse noxious examples of the Trojan and recognized 143 C&C server domains. Malvertising efforts conveying Shlayer malware for macOS are as yet continuous, in spite of the fixing of a basic zero-day weakness (CVE-2021-30657) mishandled for a really long time to think twice about by evading worked in OS protections like Gatekeeper and furthermore bypassing File Quarantine and Application Notarization. Ongoing Shlayer malvertising efforts have returned to utilizing counterfeit Flash updates and social designing strategies to fool users into physically introducing the macOS malware and undermining their frameworks. Shlayer operators may not be using a Zero-Day vulnerability anymore, but they are still resourceful. OSX/Shlayer recognizes a file that seems, by all accounts, to be an update for a famous media player, yet when dispatched will rather run scripts that download other undesirable cheesy stuff onto the systems. Shlayer remotely installs other noxious or possibly undesirable applications like Cimpli, Bnodlero, Geonei, and Pirrit adware for macOS X work areas, generally focusing on US-based clients. Once introduced, the adware gathers the casualty's very own information and tracks browsing activities that can be utilized to focus on extra advertisements. This freshest adaptation of the trojan use a Python script for stealthier execution of the malicious payload and utilizes data encryption for interchanges with its outside order and control (C&C) server. The Python script and crypto library are conveyed within the trojan's DMG installer. Conclusion As discussed before, this cycle of the Shlayer trojan-downloader now utilizes scripting in Python for its payload, a defense evasion method used to bypass antivirus protection. While currently used to convey disturbance applications like pursuit redirectors and other adware, its potential damage is a lot much bigger. Presently, it should be viewed as a critical security threat to macOS users, as it very well may be utilized to download any malicious application, not simply PUAs, supported by new covertness highlights like its encrypted communication channel with its C&C server. Having concentrated on the Shlayer family, we can conclude that the macOS platform is a decent source of revenue for cyber-criminals. The Trojan connects even dwell on real assets — attackers are skilled in the craft of social engineering, and it is difficult to foresee how complex the following deception method will be. -By Rahul Siraskar CyberBugs
OSX/Shlayer Trojan Downloader, attacks Mac OS Desktops.
Updated: Jan 2, 2022