Researchers have discovered a new variant of Shlayer Mac malware that bypasses Apple’s built-in security protections and is being spread via malicious results from Google web searches.
Shlayer is used generally to distributed bundled adware or unwanted programs. According to a company blog post from Intego, the new version of this malware was observed being delivered via a weaponized Apple Disk Image (.dmg) file, disguised as an installer for Adobe Flash Player.
macOS device owners searching via Google for certain YouTube video titles could fall victim to this scheme, as malicious actors have used search poisoning techniques to develop malicious results for these inquiries. Users who click on these results will be taken to various redirection sites until they land on a page that falsely claims their Flash Player is outdated and encourage them to download and install an update. This so-called update, however, is the aforementioned trojanized .dmg file.
"While the installer has a Flash Player icon and looks like a normal Mac app, it's actually a bash shell script that will briefly open and run itself in the Terminal app," explains the Intego blog post, authored by Chief Security Analyst Joshua Long. "As the script runs, it extracts a self-embedded, password-protected .zip archive file, which contains a traditional (though malicious) Mac .app bundle. After installing the Mac app into a hidden temporary folder, it launches the Mac app and quits the Terminal. All this takes place within a split second."
"Once the Mac app launches, it downloads a legitimate, Adobe-signed Flash Player installer, so that it can appear to be genuine -- but the hidden Mac app is designed to also have the capability to download any other Mac malware or adware package, at the discretion of those controlling the servers to which the hidden Mac app phones home," Long continues.
Long calls the malware developers' use of the bash shell script a "novel idea" that indicates that the adversaries are trying to evade antivirus detection. Additionally, during the installation process, users are instructed to "right-click" on the fake Flash installer and select the "Open" command.
This right-click technique was introduced to avoid users from double-clicking on the fake installer, which would have opened a dialog box stating that the app can't be opened because the developer is unverified. Instead, users receive a different dialog box -- one that says the developer is not verified, but still gives the option to open the app.
"In this case, the malware makers are hoping you’ll ignore Apple’s fine print and instead blindly follow the malware maker’s instructions from the disk image background instead," writes Long.
Intego notes that the company distributing the disguised Shlayer variant calls itself FlashDownloader and lists its contact information as [email protected][.]pro. "The domain flashdownloader[.]pro was registered on June 8, 2020, just days before the malware was first observed in the wild," the blog post states.
Intego also reports that the same company also claims to offer a web browser with a built-in free VPN for Windows, with a Mac version coming soon.