![\"OSX\/Shlayer](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2018\/02\/OSX-Shlayer_logo.png\"){kind=logo}
<\/p>\n<\/p>\n
Last\u00a0February, Intego researchers discovered<\/a> a new variant of the OSX\/Shlayer malware,\u00a0disguising itself as an Adobe Flash Player update to infect systems with adware. OSX\/Shlayer was also found in torrent downloads as part of (or pretending to be) software cracks.<\/p>\n Today, Thomas Reed reported<\/a> on a new variant\u00a0of OSX\/Shlayer that uses new tricks to get its job done. It installs a configuration profile that forces a browser’s homepage to be set as “chumsearch[dot]com.” This profile would take control of the homepage settings in Safari and Chrome and also set the “Open new window with” or “Open new tab with” settings to use the Chumsearch URL. While we did not observe this behavior in our tests, we did find a few other interesting things.<\/p>\n As with the previously discovered Shlayer malware variants, this one comes as either a fake Adobe Flash Player\u00a0or\u00a0a crack (patch) to some kind of paid software. To pick up one of these fake Adobe Flash Player installers, one must wander around BitTorrent sites<\/a> and it’ll surely pop up.<\/p>\n To obtain Shlayer as part of a software crack,\u00a0BitTorrent\u00a0sites are also to blame. This is not to say that this malware variant, or any other variants, can’t be found on other possibly legit websites, but we\u00a0have yet to spot Shlayer there.<\/p>\n Once a user is tricked into downloading the fake Adobe Flash Player (or a site downloads it automatically), the result is typically a self mounting disk image. The user is then presented with a window that looks mostly like this:<\/p>\n Once the installer is launched, an agreement will pop up that looks absolutely nothing like the one included in the real Adobe Flash Player installer, and two installation types are offered: Express (recommended) or Custom Installation (expert). The wording is, of course, carefully chosen to deter users from selecting the Custom Installation option and seeing what is really being installed.<\/p>\n Even without scrolling through it, you can tell the presented agreement does not reference Adobe Flash Player, instead it references Advanced Mac Cleaner. This should be a big red flag, but most users may be\u00a0so accustomed to quickly\u00a0clicking “OK,” “Continue” and “Agree” to finally get their installation going.\u00a0(These windows could mention irrefutable proof Bigfoot exists and in all likelihood no-one would notice.)<\/p>\n When the “Accept >>” button is clicked, the user will be presented with a password request.<\/p>\n And when the “Ok” button is clicked, the installer will take over. A window will cover most of the screen and display a progress bar asking the user to please wait. This window cannot be activated, moved or closed.<\/p>\n With the installer window open, several components are downloaded in the background. This includes all or some of the following:<\/p>\n It also adjusts the Homepage in Safari, and probably Chrome and other browsers as well, to:<\/p>\n http: \/\/www.chumsearch. com\/search\/?asset=hp&wtguid=61409200915943979&wtsrc=5409&wtdt=042318&wtbr=1&wtpl=10.12.6&v=5.0<\/p>\n However, it\u00a0fails to make further adjustments that would cause new windows or tabs to load this URL.<\/p>\n Chumsearch<\/b>\u00a0mimics a (very poor) Google search website, which will pop up any time the homepage is requested. This page also features an ad from another company, which should raise red flags right away.<\/p>\n Intego VirusBarrier<\/a> detects Chumsearch and all of its components as OSX\/Chumsearch<\/strong>. Intego VirusBarrier<\/a> detects Advanced Mac Cleaner and all of its components as OSX\/AMC.fs<\/strong>.<\/p>\n MyMacUpdater<\/strong> is another Potentially Unwanted Program (PUP), which did not install in this particular round of testing. However, we have encountered it before and Intego VirusBarrier detects it as OSX\/Bundlore<\/strong>.<\/p>\n OSX\/Shlayer is simply\u00a0the dropper that acts as the gateway to your system and installs a host of other components, such as those mentioned above. This variant uses double base64 encoding to make it harder for malware researchers to, well, research. For example, the Shlayer installer is called on this path:<\/p>\n Which\u00a0is an encoded version of:<\/p>\n Which is an encoded version of:<\/p>\n By double encoding data, it doesn’t fool automated processes, but it makes the discovery and analysis by humans a bit trickier.<\/p>\n According to\u00a0Thomas Reed, this new Shlayer variant uses a new trick.<\/p>\n In the case of this Crossrider variant, the configuration profile that is installed forces both Safari and Chrome to always open to a page on chumsearch[dot]com. This also prevents the user from changing that behavior in the browser\u2019s settings.<\/p><\/blockquote>\n Image credit: Thomas Reed<\/p><\/div>\n This is not behavior we were able to reproduce, but we have seen\u00a0at least one other report of this configuration profile being installed by a web developer in the MacAdmins Slack.<\/p>\n Currently, Shlayer has been found only on BitTorrent websites, disguised as fake Adobe Flash Player installers or embedded in downloaded torrent files posing as cracks. Therefore, if you do not frequent such websites\u2014and you shouldn\u2019t because BitTorrent sites are a malware cesspool<\/a>\u2014chances of infection are at the moment very low.<\/p>\n If there is an increased risk of infection, users should be concerned. The injecting of ads and hijacking of the homepage are just one aspect of this malware. The Safari and Chrome extensions can do the following:<\/p>\n This includes names, passwords, phone numbers, email addresses, credit card details and much more. Having your online bank statement or Amazon login details transmitted to an unknown party is\u00a0certainly\u00a0not ideal.<\/p>\n A dropper like Shlayer can download and install anything it wants. The components that end up on your Mac are dictated by the servers it connects to and the instructions programmed into it. These kinds of installer are also constantly modified to include new techniques (such as the one found by Thomas Reed) and install new components. As such, it is not possible to give a definitive list of components to search for, but in the case of this particular OSX\/Shlayer variant, we know of these components:<\/p>\n If any of these components are\u00a0found on your Mac, delete them, restart your Mac and empty the trash.<\/p>\nHow are Macs getting infected?<\/h3>\n
![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2018\/04\/01-Fake-Flash-Player-Installer.png\")
<\/p>\n![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2018\/04\/02-1-Fake-Flash-Player-Installer-Agreement.png\")
<\/p>\n![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2018\/04\/02-Fake-Flash-Player-Installer-Agreement.png\")
<\/p>\n![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2018\/04\/03-Fake-Flash-Player-Installer-Password.png\")
<\/p>\n![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2018\/04\/04-Fake-Flash-Player-Installer-Installing.png\")
<\/p>\nWhat does OSX\/Shlayer install?<\/h3>\n
\n
![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2018\/04\/05-ChumSearch-Homepage.png\")
<\/p>\n
\n
\nAdvanced Mac Cleaner<\/strong> is scareware. It shows a scanner that found a lot of issues on your Mac and, of course, claims that the way to fix all these issues is by paying up to $107. This application will pop up after every restart.<\/p>\n![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2018\/04\/06-AMC-Dashboard.png\")
<\/p>\n\n
\n\n\n\n\n\"YlcwdGFXNXpkR0ZzYkMxdFlXTnZjeTVoY0hBdlEyOXVkR1Z1ZEhNdlRXRmpUMU12YlcwdGFXNXpkR0ZzYkMxdFlXTnZjd289Cg==\"<\/span><\/span><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/blockquote>\n\n
\n\n\n\n\nbW0taW5zdGFsbC1tYWNvcy5hcHAvQ29udGVudHMvTWFjT1MvbW0taW5zdGFsbC1tYWNvcwo=<\/span><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/blockquote>\n\n
\n\n\n\n\nmm-install-macos.app\/Contents\/MacOS\/mm-install-macos<\/span><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/blockquote>\n![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2018\/04\/Crossrider-Mac-profile-20180418.png\")
Should Mac users be concerned about OSX\/Shlayer?<\/h3>\n
\n
How to tell if your Mac is infected (and removal instructions)<\/h3>\n
\n
\nIn case you did stumble upon the particular installer Thomas Reed mentions, also have a look here:<\/strong><\/li>\n
\n<\/strong><\/span><\/li>\nHow to protect yourself from OSX\/Shlayer<\/h3>\n