Home » ZShlayer A New Variant Of Shlayer Abuses Apple’s notarization service.
Cyber Attack

ZShlayer A New Variant Of Shlayer Abuses Apple’s notarization service.

ZShlayer A New Variant Of Shlayer Abuses Apple’s notarization service
ZShlayer A New Variant Of Shlayer Abuses Apple’s notarization service

Shlayer Mac OS malware is a persistent threat that has managed to infect millions of Mac users since now. As the cyber-criminals are now shifting their focus to scripting language as their infection vector. They are using the script-based campaigns to deliver the threat as well as execute them on the system.

Shlayer is again becoming a new thing to concern as they are now abusing Apple’s macOS notarization service. To achieve this, the malware used a “Mach-O” binary in order to execute a “Bash” shell script in the memory. This happened as Apple shifted its scripting language from Zsh to Bash as now its default shell language.

Thus, the hackers were also finding ways that allow them bypass static signature checks of Apple and eventually drop the malware on the Mac OS.

Consequently, a new variant of Shlayer malware found deploying heavily obfuscating “Zsh” scripts to avoid the security detection. The researchers at SentinalOne, discovered a new variant that was named as ZShlayer.

ZShlayer Description

  • They found the malware variant using highly obfuscated Zsh scripting language to bypass the security tools;
  • The ZShlayer malware variant appears to be a standard Apple application that is bundled within a .dmg file.
  • Thus, this malware easily passed Apple’s notarizing checks. Hence, targeting the system and started delivering uncountable numbers of unwanted ads and pop-ups.

The ZShlayer Stages

Once in, the malware executes various Bash shell scripts to pass various stages before the final payload is dropped. Additionally, it also extracts various system-related information such as: session UID, machine ID and OS version.

The ZSlayer establish communication to the servers controlled by its authors at http://dqb2corklaq0k.cloudfront.net/13.226.23.203, and exfiltrate the collected information. After which, it delivers the final payloads.

Propagation Means

While the original Shlayer malware came into light in February 2019. The threat was rigorously being distributed as fake updates of Adobe Flash Player. However, it conceals the payloads of the virus and eventually infecting the Apple Mac devices and system.

As far as ZShlayer is concerned, it may use a bundle of cracked or pirated software to spread its payload. Thus, users should avoid relying on download pirated software or freeware from third-party platforms.

Why can ZShlayer pose a real threat?

The researchers say that the ZShlayer campaigns can further evolve to be a dangerous threat for Apple Mac users, as it was able to successfully abuse Apple’s Notarization service. And bypass the security tools.

Additionally, the prime motive of the ZShlayer is to eventually drop/install Shlayer malware on the target system. This is done to avoid the Shlayer being detected under the scanner, as it does not use the same signature as the original one. It appears to be a standard Apple Application. So, this becomes easy for the hacker to deliver it silently.

Fortunately, the ZShlayer is still not being rigorously distributed. So, users should avoid downloading unwanted or pirated software from third-party sources or unsafe websites. Rather visit the official Apple Store to do so.

Also, install a reputable anti-malware program so as to detect the presence of any unwanted program as soon as it gets installed.

How To Scan For Pirated Or Unwanted Software On Your Mac

Combo Cleaners LogoCombo Cleaner DOWNLOAD LINK
(The above link will open a new page from where the Combo Cleaner will download)
“ZShlayer” may reinstall itself multiple times if you don’t delete its core files. We recommend downloading Combo Cleaner to scan for malicious programs. This may save your precious time and effort. Combo Cleaner scans the infected PC for free but you need to purchase its full version for complete removal. More information on Combo Cleaner.

Combo Cleaner is a complete security suite for Mac OS that is developed by “RCS LT” company. This program is featured with anti-virus scanner and system optimization tools like disk cleaner, duplicate files finder, application uninstaller, privacy scanner, and 24*7 customer support service.

It is very important to have a reliable anti-virus solution for the computer system. Combo cleaner is one of the best options for MAC users as detects and eliminates all sorts of threats like adware, browser hijacker, Trojans, and other malware.

How to Install and Scan with Combo Cleaner

  • 1. Click the above button to Download the “Combo Cleaner”;

  • 2. Once the download completes, double-click on the downloaded file;

  • 3. After the window opens, drag the Combo Cleaner program icon and drop it into your “Applications folder” icon.

    Combo Cleaner Install Step 2
    Combo Cleaner Install Step 2
  • 4. Now, open your “Launchpad” and click on the “Combo Cleaner” icon.

    Combo Cleaner Install Step 3
    Combo Cleaner Install Step 3
  • 5. This will start the combo cleaner installation and updates its latest virus definition. Once done, Combo cleaner will launch;

    Combo Cleaner Dashboard
    Combo Cleaner Dashboard
  • 6. Click on “Antivirus” tab and choose the scan options like Quick, Full, and custom. (Full is recommended for the first time)

    Combo Cleaner Antivirus Scan
    Combo Cleaner Antivirus Scan
  • 7. Let the scan be completed and it will list all the threats found. Now, click on “Remove All Threats”;

    Combo Cleaner Scan Results
    Combo Cleaner Scan Results
  • 8. after removing the threats, click on the “uninstaller” to find and remove any unwanted programs. Select the program from the list and its related files and then click on “Remove Selected Items“

    Remove ZShlayer And Other Threats
    Remove ZShlayer And Other Threats

About the author

UnboxHow Team

If you have come this far, it means that you liked what you are reading. Why not reach little more and connect with us directly on Google Plus, Facebook or Twitter. We would love to hear your thoughts and opinions on our articles directly.

Add Comment

Click here to post a comment