{"id":75766,"date":"2018-02-21T07:43:00","date_gmt":"2018-02-21T15:43:00","guid":{"rendered":"https:\/\/www.intego.com\/mac-security-blog\/?p=75766"},"modified":"2022-09-27T12:00:34","modified_gmt":"2022-09-27T19:00:34","slug":"osxshlayer-new-mac-malware-comes-out-of-its-shell","status":"publish","type":"post","link":"https:\/\/www.intego.com\/mac-security-blog\/osxshlayer-new-mac-malware-comes-out-of-its-shell\/","title":{"rendered":"OSX\/Shlayer: New Mac malware comes out of its shell"},"content":{"rendered":"

\"\"Over the weekend, Intego researchers discovered multiple variants of new Mac malware, OSX\/Shlayer<\/strong>, that leverages a unique technique.<\/p>\n

Although malware that disguises itself as an update to Adobe Flash Player is nothing new, some of the latest incarnations of fake Flash Player\u00a0installers\u00a0have an unusual method of downloading additional content.<\/p>\n

How\u00a0are\u00a0Macs getting infected?<\/h3>\n

Intego researchers found OSX\/Shlayer spreading via BitTorrent file sharing sites, appearing as a\u00a0fake Flash Player update when a user attempts to select a link to copy a torrent magnet link<\/a>.<\/p>\n

\"\"Torrent sites are notorious for distributing malware and adware,\u00a0sometimes\u00a0through misleading advertisements, and sometimes through\u00a0Trojan horse<\/a>\u00a0downloads that claim to be “cracks” or that may contain infected copies of legitimate software\u00a0(watch our recent\u00a0interview with Amit Serper<\/a>\u00a0or read our article\u00a0Why BitTorrent Sites Are a Malware Cesspool<\/a>\u00a0to learn more about the dangers of torrent sites).<\/p>\n

Even if you don’t use torrent sites, you may encounter\u00a0other sites that claim you need to update Flash Player; in most cases,\u00a0this is actually an attempt to install\u00a0malware on your computer.<\/strong><\/p>\n

On some of the malware distribution pages, the\u00a0fake Flash Player alerts are customized to your browser. If you’re using Mozilla Firefox, you may see an upward-facing arrow appear pointing to the browser\u00a0toolbar that indicates that there is a recent download available to open.<\/p>\n

\"\"<\/p>\n

If you’re using Google Chrome, you may see a\u00a0pop-up message pointing to the bottom-left corner of the browser window where newly available downloads appear. Ironically, Google Chrome has its own built-in version of Flash Player that users don’t need to update manually; it\u00a0gets updated automatically whenever Google issues an update for Chrome itself.<\/p>\n

\"\"<\/p>\n

What’s unique about OSX\/Shlayer?<\/h3>\n

The initial Trojan horse infection (the fake Flash Player installer) component of\u00a0OSX\/Shlayer leverages shell scripts to download additional malware or adware onto the infected system.<\/p>\n

You can think of shell scripts<\/strong> as a way to execute a\u00a0series\u00a0of commands in sequence, sometimes without requiring any user interaction. They’re\u00a0sort of like\u00a0a command-line equivalent of an Automator<\/a> or AppleScript<\/a> app, or the Mac equivalent of a Windows .bat (“batch”) file. Instead of malware having to open up the Terminal<\/a> on your Mac and type commands right before\u00a0your eyes (which would be a pretty obvious sign of infection), malware can secretly execute those commands in the background without the user’s knowledge by\u00a0leveraging shell scripts.<\/p>\n

\"OSX\/Shlayer<\/p>\n

Malware that downloads additional malicious or undesirable code is known as a dropper<\/strong>. Intego’s research team observed OSX\/Shlayer\u00a0behaving as a dropper\u00a0and\u00a0installing\u00a0OSX\/MacOffers<\/strong>\u00a0(also known as BundleMeUp, Mughthesec<\/a>, and Adload)\u00a0or\u00a0OSX\/Bundlore<\/strong>\u00a0adware as\u00a0a secondary payload.<\/p>\n

There are three variants of the newly discovered malware, detected by Intego VirusBarrier as OSX\/Shlayer.A<\/strong>, OSX\/Shlayer.B<\/strong>, and\u00a0OSX\/Shlayer.C<\/strong>, that differ as follows:<\/p>\n