macOS malware is becoming a serious threat to mac users. Cyber criminals, APT groups, nation state actors, are extensively targeting Apple iOS/MacOS devices for various reasons: continuous innovation and development of Apple platforms leads ultimately to new attack surfaces (and more 0-days sold in the underground). Weak malware built-in security features: macOS ships with GateKeeper and XProtect, but both of these protections can be by-passed by new malware. Finally, Apple devices are trendy, sometimes considered as a wealth indicator, or simply becoming more useful in millions of people’s everyday life. All these little things might convince any threat actor to look after Apple devices, and include them into the scope of targets.

OSX/Shlayer has been a very common macOS malware this year, most of the time delivered through bad ads. First discovered in 2018, OSX/Shlayer came via a fake Flash Player updater appearing in bitTorrent file sharing websites when a user attempts to select a link to copy a torrent magnet link.

Today’s OSX/Shlayer is still delivered through bad ads, thanks to Confiant real-time Malvertising tracking platform, we stumbled upon a malicious Advertiser who redirects victims matching certain criteria (coming from certain countries, or using macOS computers) to the following landing page, offering yet another fake Adobe Flash Player update:

Landing page, showing a Fake Flash Update delivering OSX/Shlayer.D

An Apple Disc Image file AdobeFlashPlayerInstaller.dmg downloaded, with the following SHA-256 hash : 07d0c83caa7af3daaf243168138afd020ce9d7ee9b2f502cbf4acb065f550f73 This installer has the same icon as the genuine Adobe Flash Player Installer :

a fake Adobe Flash Player installer delivering OSX/Shlayer.D

Of course this is not the real Adobe Flash Player installer, one way to confirm this is to check for Adobe signatures, using the macOS command: codesign -d -vvv

Indeed, that’s not the official Adobe installer but a fake Flash Player installer that was signed using an Apple developer certificate 2L27TJZBZM issued probably to a fake identity named : Fajar Budiarto

Signing malware with Apple developer certificates, not only it is easy to do, but became a standard practice for macOS malware developers and that’s one of the reasons why Gatekeeper and XProtect are failing to stop this malware: it is signed. Even though with a fake identity but this Apple Developer certificate is still signed by Apple thus the malware is allowed to run after some preliminary checks..

Since this file was downloaded by Safari, (or any other quarantine aware Browser/Application, like Chrome.app or Mail.app), extended attributes will be added for this file, in the HFS+/APFS file system, especially the quarantine attributes. These attributes are essential for GateKeeper/XProtect to kick in and start their magic to analyze this malware, if all goes well a user consent pop-up will be shown, warning the user before running this file, or if this file turns out to be malicious no options but to remove this file will be shown.

The problem is not all of macOS applications are quarantine aware.. and curl is a one good example.

So, what happens if this malware wasn’t downloaded by a quarantine aware application, like the curl command line? The extended quarantine attribute will not be set for this malware, so none of GateKeeper nor XProtect will kick in, no user consent pop-up will be shown and the malware will just execute. This would be a total bypass of macOS built-in malware security features, in fact, that’s exactly what OSX/Shlayer will use to launch OSX/Tarmac and with administrator privileges!