Shlayer Trojan
Shlayer is a widespread trojan believed to have affected almost 10% of all macOS systems. It uses sophisticated malicious adverts to propagate and delivery additional payloads.
Summary
Shlayer is a widespread trojan believed to have affected almost 10% of all macOS systems. It uses sophisticated malicious adverts to propagate and delivery additional payloads.
Threat details
Introduction
First observed in February 2018, Shlayer is a family of adware trojans targeting macOS users. New Shlayer variants are generated on an almost hourly basis, and it now accounts for almost 10% of all macOS malware detections.
Delivery
Shlayer is typically delivered via malicious adverts containing steganographically hidden JavaScript or AppleScript content. This content can bypass content filters and will fingerprint users when they interact with the adverts to determine if they are suitable targets for Shlayer.
Users that meet the correct criteria are then shown a pop-up advert recommending they update some form of utility software (most often Adobe Reader or Acrobat). This advert instead drops a Shlayer variant payload on their system.
Certain versions of Shlayer have been observed being delivered as trojanised torrent files or cracked software downloads.
Activities
Once installed, Shlayer checks for the presence of several macOS-specific security products before executing several batch or AppleScript scripts to download other malware. The scripts themselves are code-signed to bypass the macOS Gatekeeper trusted application check, allowing the malware they download to function correctly once installed.
Newer versions of Shlayer can bypass Gatekeeper and Notarization security systems to escalate their privileges and install unsigned payloads.
Threat updates
| Date | Update |
|---|---|
| 29 Apr 2021 |
Gatekeeper bypass patched
Apple has now patched the vulnerability Shlayer exploited to bypass Gatekeeper security checks. Users can update to macOS Big Sur 11.13 to apply this patch. |
Remediation advice
To prevent and detect an infection, NHS Digital advises that:
- Secure configurations are applied to all devices.
- Security updates are applied at the earliest opportunity.
- Tamper protection settings in security products are enabled where available.
- Obsolete platforms are segregated from the rest of the network.
- IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
- Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
- Administrative accounts are only used for necessary purposes.
- Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
- Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.
Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.
Definitive source of threat updates
Last edited: 29 April 2021 1:31 pm