A new variant of the multi-stage Shlayer malware known to target macOS users has been observed in the wild, now being capable to escalate privileges using a two-year-old technique and to disable the Gatekeeper protection mechanism to run unsigned second stage payloads.

Shlayer was first observed in action by Intego's research team which found it being distributed as part of a malware campaign during February 2018, disguising as a fake Adobe Flash Player installer like many other malware families targeting the Mac platform.

Just like it did in the past, the new malware version is also distributed as a malicious Adobe Flash software update, but unlike the original version which was pushed through torrent websites, Shlayer is now spreading as fake update pop-ups on hijacked domains or legitimate sites clones, or as part of malvertising campaigns running on legitimate websites.

This new Shlayer variant unearthed by Carbon Black’s Threat Analysis Unit (TAU) targets all macOS releases up to the latest 10.14.3 Mojave, and will arrive on the targets' machines as a DMG, PKG, ISO, or ZIP files, some of them also signed with a valid Apple developer ID to make them look legitimate.

Malicious Flash Player Installer

Shlayer samples found by TAU also use malicious shell scripts to download additional payloads just like older installments did, and, in the case of samples distributed as DMG images, will surreptitiously launch a .command script in the background after the user launches the fake Flash installer.

The malicious script included in the DMG is encoded using base64 and will decrypt a second AES encrypted script which will be executed automatically after being decrypted.

As found by Carbon Black's researchers, the second script:

Collects system information such as the macOS version and IOPlatformUUID (a unique identifier for the system)

Generates a “Session GUID” using uuidgen

Creates a custom URL using the information generated in the previous two steps and downloads the second stage payload.

Attempts to download the zip file payload using curl

Creates a directory in /tmp to store the payload and unzips the password-protected payload (note: the zip password is hardcoded in the script per sample)

Makes the binary within the unzipped .app executable using chmod +x

executable using Executes the payload using open with the passed arguments “s” “$session_guid” and “$volume_name”

with the passed arguments “s” “$session_guid” and “$volume_name” Performs a killall Terminal to kill the running script’s terminal window

One it successfully downloads the second stage malware payload, Shlayer will "to escalate privileges with sudo using a technique invoking /usr/libexec/security_authtrampoline," presented by Patrick Wardle in his Death by 1000 Installers talk at DEFCON 2017.

The next step is to download extra payloads which all contain adware according to TAU and it makes sure they'll be able to run on the compromised Mac by disabling the Gatekeeper protection mechanism.

After this is accomplished, all extra payloads downloaded and launched by Shlayer will be seen as whitelisted software because the OS will no longer check if they are signed with an Apple developer ID. Also, just in case the malware is not able to disable Gatekeeper on the infected Mac, some of the second stage payloads are also signed with valid developer IDs.

Signed Shlayer second-stage payload

While currently only distributing adware, the Shlayer malware's authors can switch the payloads at any time to drop a lot more dangerous malware families such as ransomware or wipers.

However, the impact adware has on an infected machine is not to be disregarded given that the entire system will eventually be slowed down, while the pushed advertisements can easily trick the victims into buying services and products they don't actually need.

Carbon Black’s Threat Analysis Unit also provides a full list of indicators of compromise (IOCs) such as executable hashes, domains used by the malware campaign and IP addresses of C&C servers on the company's GitHub page.