10% of Macs infected by Shlayer Trojan, AV maker reveals

Shlayer Trojan topped the 2019 charts: 1 in 10 Macs got infected by it throughout the year

Shlayer Trojan infected 10% of macOS users

Even in 2020, there are many Apple device power users who claim that macOS does not need anti-malware software due to the advanced implementation of security measures of the operating systems – these allegedly protect from all the evil lurking on the web. However, security researchers had proven multiple times that Macs are not immune to malicious software, as users can easily be tricked into installing malware – granting it permission to do so.

Anti-virus maker Kaspersky published a yearly report[1] about its monitored macOS machines – and results may surprise some. As it turned out, one in ten Macs were at some point were infected with a relatively primitive – yet effective – malware Shlayer Trojan,[2] also dubbed OSX/Shlayer by Intego security researchers when they discovered it back in February 2018.[3] During 2019, Kaspersky security software identified 32,000 samples across its all monitored systems, which accounts for 30% of all Mac malware detections, most of which come from the USA (31%), Germany (14%) and France (10%). 

Most of Shlayer Trojan variants flagged by Kaspersky were described as nothing out of ordinary, although recent versions were observed being written in Python:

Despite its prevalence, from a technical viewpoint Shlayer is a rather ordinary piece of malware. Of all its modifications, only the recent Trojan-Downloader.OSX.Shlayer.e stands apart. Unlike its Bash-based cousins, this variant of the malware is written in Python, and its operation algorithm is also somewhat different.

Simple yet effective: fake Flash Player prompts, YouTube description links and even Wikipedia articles lead macOS users to Shlayer Trojan

Shlayer Torjan’s success rate does not lie within its sophistication, however, as it relies on a good old fake Flash Player malvertising[4] technique to propagate, ant its set of capabilities is also relatively limited – Shlayer is a Trojan downloader that populates adware-type programs on the machine, consequently monetizing on the illegal ad-revenue. Additionally, researchers also found that malicious links were embedded within YouTube videos, streaming sites, and even Wikipedia articles.

The most probable cause of Shaler Trojan infections in the landing pages of advertisements embedded on various websites – mostly video streaming. Users are notified by a short message which claims that they need to update Flash in order to stream the video, which leads them to a download site of a boobytrapped DMG file.

Kaspersky researchers said that Shlayer Trojan was also offered as a partner program that comes within the installer – over 1,000 sites were found to be involved:

We noticed at once several file partner programs in which Shlayer was offered as a monetization tool. Having analyzed various offers, we identified a general trend: Shlayer stands out from the field for the relatively high installation fee (though only installations performed by U.S.-based users count). The prospect of a juicy profit likely contributed to the popularity of the offer (we counted more than 1000 partner sites distributing Shlayer).

Shlayer Trojan can not only install malware in the background but also gather sensitive information from the browser

The initial DMG image is actually a Python-based script, which, once executed, will begin the infection routine. Slayer Trojan first collects some technical data about the host computer and assigns it a unique ID, which will be used later during the operation. During the first stage of the attack, it also grants itself elevated permissions on the system.

What users see, however, is something completely different, as the installation of the Trojan may seem like a normal process that they see each time they download a new app. Besides seeing a fake Flash installation, victims will be presented with an allegedly optional application like BlueStacks App Player, and two options will be provided – “Skip” or “Next.”

Regardless of which is chosen, however, the app will be installed in the background and will proceed with inserting a malicious browser extension on Safari without any notification by using fake alert overlays. The extension is used to track various data from the web browser and divert users to predetermined sites.

Another addition to the macOS that the malware installs is mitmdump proxy software SearchSkilledData, which will allow Shlayer to send all the traffic through the configurated proxy. As a result, threat actors can intercept and acquire such information from infected users as banking details, login credentials, and other sensitive data.

To protect yourself against Shlayer Trojan, practice good web browsing habits, employ ad-blocking extension,[5] and equip your system with powerful anti-malware software.