OSX/Shlayer is a Trojan designed to install adware on macOS. It was first discovered in 2018.[1][2]

ID: S0402
Associated Software: Crossrider
Platforms: macOS
Version: 1.1
Created: 29 August 2019
Last Modified: 22 October 2020

Associated Software Descriptions

Name Description


Techniques Used

Domain ID Name Use
Enterprise T1548 .004 Abuse Elevation Control Mechanism: Elevated Execution with Prompt

OSX/Shlayer can escalate privileges to root by asking the user for credentials.[1]

Enterprise T1176 Browser Extensions

OSX/Shlayer can install malicious Safari browser extensions to serve ads.[3][4]

Enterprise T1059 .004 Command and Scripting Interpreter: Unix Shell

OSX/Shlayer can use bash scripts to check the macOS version and download payloads.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

OSX/Shlayer can base64-decode and AES-decrypt downloaded payloads.[1]

Enterprise T1222 .002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification

OSX/Shlayer can use the chmod utility to set a .app file as executable, and the spctl application to disable Gatekeeper protection for a downloaded file.[1].[1]

Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

OSX/Shlayer executes a .command script from a hidden directory in a mounted DMG.[1]

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

OSX/Shlayer can masquerade as a Flash Player update.[1][2]

Enterprise T1082 System Information Discovery

OSX/Shlayer can collect the macOS version and IOPlatformUUID.[1]

Enterprise T1204 .002 User Execution: Malicious File

OSX/Shlayer relies on users mounting and executing a malicious DMG file.[1][2]