OSX/Shlayer is a Trojan designed to install adware on macOS that was first discovered in 2018.[1][2]
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1548 | .004 | Abuse Elevation Control Mechanism: Elevated Execution with Prompt |
OSX/Shlayer can escalate privileges to root by asking the user for credentials.[1] |
Enterprise | T1176 | Browser Extensions |
OSX/Shlayer can install malicious Safari browser extensions to serve ads.[4][5] |
|
Enterprise | T1059 | .004 | Command and Scripting Interpreter: Unix Shell |
OSX/Shlayer can use bash scripts to check the macOS version, download payloads, and extract bytes from files. OSX/Shlayer uses the command |
Enterprise | T1140 | Deobfuscate/Decode Files or Information |
OSX/Shlayer can base64-decode and AES-decrypt downloaded payloads.[1] Versions of OSX/Shlayer pass encrypted and password-protected code to |
|
Enterprise | T1083 | File and Directory Discovery |
OSX/Shlayer has used the command |
|
Enterprise | T1222 | .002 | File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification |
OSX/Shlayer can use the |
Enterprise | T1564 | Hide Artifacts |
OSX/Shlayer has used the |
|
.001 | Hidden Files and Directories |
OSX/Shlayer has executed a .command script from a hidden directory in a mounted DMG.[1] |
||
.009 | Resource Forking |
OSX/Shlayer has used a resource fork to hide a compressed binary file of itself from the terminal, Finder, and potentially evade traditional scanners.[9][10] |
||
.011 | Ignore Process Interrupts |
OSX/Shlayer has used the |
||
Enterprise | T1105 | Ingress Tool Transfer |
OSX/Shlayer can download payloads, and extract bytes from files. OSX/Shlayer uses the |
|
Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
OSX/Shlayer can masquerade as a Flash Player update.[1][2] |
Enterprise | T1553 | .001 | Subvert Trust Controls: Gatekeeper Bypass |
If running with elevated privileges, OSX/Shlayer has used the |
Enterprise | T1082 | System Information Discovery |
OSX/Shlayer has collected the IOPlatformUUID, session UID, and the OS version using the command |
|
Enterprise | T1204 | .002 | User Execution: Malicious File |
OSX/Shlayer has relied on users mounting and executing a malicious DMG file.[1][2] |