Carbon Black’ Threat Analysis Unit (TAU) discovers a new malware for macOS. It’s a variant of Shlayer, unveiled last year. It’s disguised as an Adobe Flash software update and is capable of privilege escalation
There’s a new macOs malware in the wild. It has been discovered by Carbon Black cyber security experts. According to the company’s blog, the Threat Analysis Unit (TAU) recently discovered a new variant of a family of Shlayer macOS malware, first discovered in February of 2018 by researchers from Intego. TAU has obtained new samples of this malicious code and observed downloads of the malware from multiple sites, primarily disguised as an Adobe Flash software update. Many of the sites that we have found to redirect to these fake updates have been those masquerading as legitimate sites, or hijacked domains formerly hosting legitimate sites, and some appear to be redirected from malvertisements on legitimate sites. Samples discovered have been seen to affect versions of macOS from 10.10.5 to 10.14.3. The malicious code employs multiple levels of obfuscation and is capable of privilege escalation. Furthermore, all discovered samples targeted only macOS.
The cyber security experts: How the infection chain works
According to Carbon Black’ TAU, many of the initial malware DMGs are signed with a legitimate Apple developer ID and use legitimate system applications via bash to conduct all installation activity. “Although most samples were DMG files, we also discovered .pkg, .iso, and .zip payloads,” the cyber security experts continued. A command script is executed from a hidden directory in the mounted volume. The script base64 decodes and AES decrypts a second script in macOS containing an additional encoded script that is subsequently executed. It represents the final steps of the first stage of this infection. After identifying the script location and a verification check, it collects system information; generates a “Session GUID”; creates custom URL and downloads the second stage payload; creates a directory to store the malware and unzips it; makes the binary within the unzipped .app executable; executes the payload, and kill the running script’s terminal window.
The malware attempts to download additional software and disables Gatekeeper for the downloaded software using spctl
The malware attempts to escalate privileges in macOS targeted with sudo, using a technique invoking /usr/libexec/security_authtrampoline. Once it has elevated to root privileges, it attempts to download additional software (adware in the analyzed samples by Carbon Black) and disables Gatekeeper for the downloaded software using spctl. This allows the whitelisted software to run without user intervention even if the system is set to disallow unknown applications downloaded from the internet. Furthermore, many of the payloads contained within the second stage download are signed with a valid developer ID. TAU is continuing to monitor and analyze this threat, and will publish additional information if necessary.