Shlayer Malware targets MacOs

A new Shlayer macOS malware variant which obfuscates itself to sneak past security tools and compromise a target machine.

Dubbed ‘ZShlayer’, the variant does not conform to the original Shlayer signatures, meaning that it can go unnoticed by some malware scanners.

Earlier versions of the original Shlayer malware came as shell script executables on a removable .DMG disk image. This new variant comes using a standard Apple application bundle inside the .DMG.

A new variant of Shlayer utilizes heavily obfuscated Zsh scripts and is in fact far more prolific in the wild.

Fortunately, it seems that ZShlayer infections are currently isolated to users who have downloaded illicit software outside of Apple’s official App Store ecosystem.

Most ZShlayer droppers that I saw are in trojanized cracked software, so the usual caveat applies about avoiding downloading pirated versions of products.

Shlayer, malware which poses as an Adobe Flash software update before infecting Apple operating systems, was first discovered back in February 2019.

The attack represents what’s thought to be the first time that malicious code has gained Apple’s notarization “stamp of approval”.

Apple responded promptly to reports of malfeasance by revoking the developer code-signing certificate abused in the Shlayer-slinging campaign.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s