Experts have discovered a new variant of malware Shlayer, which is aimed at users of macOS. Once on the victim’s computer, this program is able to disable Gatekeeper that allows you to run unsigned payload.
The malware was found by a team of Carbon Black Threat Analysis Unit (TAU), which States that Shlayer disguised as a fake Adobe Flash updates distributed via malicious websites.
Recall that the original version Shlayer was discovered by specialists Intego in February 2018.
The main function of the Trojan — the malware of payloads and adware using shell scripts. In essence, it is a dropper that in the new version attacks version macOS Mojave with 10.10.5 on 10.14.3.
Experts believe that the version of the malware for Windows does not exist. Feature Shlayer is to use the signed certificate of the code — this helps the malware to bypass the Gatekeeper protection.
As you know, developers who have access to the Apple Developer program, you can sign their application to verify their legitimacy. However, this method is unfortunately used by criminals.
A new variant of malware enters onto victim’s PC in the form of a DMG file, Packed.PKG.ISO и.ZIP. After installation in the system hidden directory you run the script, which decrypts another script containing malicious third tier.
The script of the last stage collects information about the system version of macOS, and unique identifiers. This is followed by generating a GUID and elevation of privileges to root. For the latter item, the malware uses a technique described by Patrick Woglom in a speech at Defcon 2017.
After privilege escalation malicious script tries to turn off Gatekeeper in the system, and then download additional malware from the Internet.
Read more •••