![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2016\/04\/fake-flash-600x300.jpeg\")
<\/p>\n<\/p>\n
Intego has discovered new Mac malware in the wild, actively spreading through malicious results in Google searches.<\/p>\n
The new malware tricks victims into bypassing Apple’s built-in macOS security protections, and it uses sneaky tactics in an effort to evade antivirus detection.<\/p>\n
As of Friday, the new malware installer and its payload had a 0\/60 detection rate among all antivirus engines on VirusTotal. Intego VirusBarrier<\/strong><\/a> is the first anti-malware solution that is known to detect and remove this malware.<\/p>\n Intego identifies the new malware as unique new variants of OSX\/Shlayer<\/strong><\/a> (the original variant of which was first discovered by Intego in 2018<\/a>) and OSX\/Bundlore<\/strong> (with similarities to past versions of OSX\/MacOffers and Mughthesec<\/a>\/BundleMeUp\/Adload).<\/p>\n In this article:<\/p>\n <\/a><\/p>\n As is commonly seen in Mac malware, this newly updated Shlayer malware is delivered as a Trojan horse application on a .dmg disk image, masquerading as an Adobe Flash Player installer.<\/p>\n Note: The “censored” appearance is how it actually appears on victims’ Macs.<\/p><\/div>\n After the deceptive Flash Player installer is downloaded and opened on a victim’s Mac, the disk image will mount and display instructions on how to install it. The instructions tell users to first “right-click” on flashInstaller and select Open, and then to click Open in the resulting dialog box.<\/p>\n “Get Info” window for the flashInstaller file<\/p><\/div>\n If a user follows the instructions, the “installer app” launches. While the installer has a Flash Player icon and looks like a normal Mac app, it’s actually a bash shell script that will briefly open and run itself in the Terminal app.<\/p>\n A portion of the script’s code, showing the beginning of the embedded .zip file<\/p><\/div>\n As the script runs, it extracts a self-embedded, password-protected .zip archive file, which contains a traditional (though malicious) Mac .app bundle. After installing the Mac app into a hidden temporary folder, it launches the Mac app and quits the Terminal. All this takes place within a split second.<\/p>\n Once the Mac app launches, it downloads a legitimate, Adobe-signed Flash Player installer, so that it can appear to be genuine\u2014but the hidden Mac app is designed to also have the capability to download any other Mac malware or adware package, at the discretion of those controlling the servers to which the hidden Mac app phones home.<\/p>\n The developers’ decision to hide the Mac .app within a password-protected .zip file, and to hide that within a bash shell script, is a novel idea\u2014and it is also extremely clear evidence that the developers are trying to evade detection by antivirus software.<\/a><\/p>\n While searching Google for the exact titles of YouTube videos, Intego’s research team encountered Google search results that, when clicked, pass through multiple redirection sites and end up on a page that claims the visitor’s Flash Player is out of date, and displays deceptive warnings and fake dialog boxes to entice the victim to download a supposed Flash Player updater\u2014which is, in fact, a Trojan horse.<\/p>\n This newly re-engineered malware purports to be a legitimate Flash Player installer, but it has the capability to surreptitiously download and install additional unwanted packages containing adware or spyware.<\/p>\n Last year, Intego was also the first to discover OSX\/CrescentCore<\/a>, another example of search results leading to Mac malware. Like the new Shlayer variant, CrescentCore was a Trojan horse disguising itself as a Flash Player installer.<\/a><\/p>\n Although in this particular case the malware was found via Google search results, the same thing could happen with any search engine: Bing, Yahoo!, DuckDuckGo<\/a>, Startpage<\/a>, Ecosia, or any others.<\/p>\n Search engines face numerous challenges in trying to prevent poisoned search results that lead to malware.<\/p>\n For one thing, malware is constantly changing in order to evade detection, as evidenced by this new malware campaign. Even if Google had scanned the site for known malware before indexing it, Google wouldn’t have found any, because the malware was brand new and as-yet undiscovered.<\/p>\n For another thing, pages are often designed to dynamically present different content depending on the context. If a Web server determines that Google is crawling the site, it may present an entirely different page from the one you might see if you go directly to the URL in your browser\u2014and that page may be different from the page you’d see if you click on a link in Google search results (meaning google.com is the “referrer”), as was the case with this campaign.<\/p>\n It may not be an impossible task, but it’s certainly a significant challenge to try to keep all potentially harmful content from appearing in search results.<\/p>\n Intego has reported the known-malicious search results to Google.<\/a><\/p>\n A lot of Mac malware in the past couple years has been “signed” by an Apple Developer Account, meaning that the malware maker has paid for an Apple account (or at least hijacked a legitimate developer’s account) in order to get special access to developer resources (and, in some cases, less scrutiny from built-in protections in macOS).<\/p>\n Interestingly, the makers of this malware didn’t even bother getting an Apple Developer Account. Instead, they used a sneaky tactic to trick victims into bypassing Apple’s built-in protections.<\/p>\n Normally, as of macOS Catalina, users will see a dialog box like this if they double-click on a Mac app that isn’t signed with a valid (and non-revoked) Apple Developer Account:<\/p>\n Catalina alert message: “macOS cannot verify that this app is free from malware.” Image: Apple<\/a>.<\/p><\/div>\n By tricking a user into “right-clicking” (Apple calls this Control-clicking<\/a>) on a malware app and clicking Open, victims will instead see a dialog box more like this:<\/p>\n Catalina alert message: “By opening this app, you will be overriding system security which can expose your computer and personal information to malware that may harm your Mac or compromise your privacy.” Image: Apple<\/a>.<\/p><\/div>\n Note that in this slightly different dialog box, there’s an “Open” button. In this case, the malware makers are hoping you’ll ignore Apple’s fine print and instead blindly follow the instructions from the malicious disk image’s background image.<\/a><\/p>\n Intego VirusBarrier X9, included with Intego’s Mac Premium Bundle X9<\/a><\/strong>, can detect and eliminate this malware. (Customers running VirusBarrier X8, X7, or X6 on older versions of Mac OS X are also protected.)<\/p>\n Very few other third-party antivirus solutions are known to detect it, as of when this article was last updated.<\/a><\/p>\n In general, fake Flash Player installers seem to be very successful, since Mac malware makers have continued to use Flash installers as a Trojan horse for nearly a decade.<\/p>\n Related: Adobe Flash Player is dead, yet 10% of Macs are infected with fake Flash malware<\/a><\/em><\/p>\n\n
What does the new malware do? How is it unique?<\/h3>\n
![\"OSX\/Shlayer](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2020\/06\/Shlayer-disk-image-June-2020-1024x799.png\")
![\"OSX\/Shlayer](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2020\/06\/Shlayer-Get-Info-window-June-2020-584x1024.png\")
![\"OSX\/Shlayer](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2020\/06\/Shlayer-code-June-2020.png\")
Is this malware in the wild? How does it spread?<\/h3>\n
![\"OSX\/Shlayer](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2020\/06\/Shlayer-deceptive-site-June-2020-1024x676.png\")
<\/p>\n![\"OSX\/CrescentCore](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2019\/06\/OSX-CrescentCore-logo-325x350-139x150.png\"){kind=logo}
This is far from the first time that search engine results have led to in-browser fake dialog boxes and malicious downloads; this has been happening for more than a decade<\/a>.<\/p>\nCan’t Google stop this?<\/h3>\n
How does the malware bypass protections built into macOS?<\/h3>\n
![\"Catalina](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2020\/06\/macos-catalina-alert-unsigned.jpg\")
![\"Catalina](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2020\/06\/macos-catalina-alert-unsigned-override.jpg\")
How can the malware be removed?<\/h3>\n
Are there a lot of victims of this specific malware?<\/h3>\n