A new Shlayer macOS malware variant which obfuscates itself to sneak past security tools and compromise a target machine.
Dubbed ‘ZShlayer’, the variant does not conform to the original Shlayer signatures, meaning that it can go unnoticed by some malware scanners.
Earlier versions of the original Shlayer malware came as shell script executables on a removable .DMG disk image. This new variant comes using a standard Apple application bundle inside the .DMG.
A new variant of Shlayer utilizes heavily obfuscated Zsh scripts and is in fact far more prolific in the wild.
Fortunately, it seems that ZShlayer infections are currently isolated to users who have downloaded illicit software outside of Apple’s official App Store ecosystem.
Most ZShlayer droppers that I saw are in trojanized cracked software, so the usual caveat applies about avoiding downloading pirated versions of products.
Shlayer, malware which poses as an Adobe Flash software update before infecting Apple operating systems, was first discovered back in February 2019.
The attack represents what’s thought to be the first time that malicious code has gained Apple’s notarization “stamp of approval”.
Apple responded promptly to reports of malfeasance by revoking the developer code-signing certificate abused in the Shlayer-slinging campaign.