SOFTWARE
Aria-body
SOFTWARE
1-9
A-B
C-D
E-F
G-H
I-J
K-L
M-N
O-P
Q-R
S-T
U-V
W-X
Y-Z
  1. Home
  2. Software
  3. OSX/Shlayer

OSX/Shlayer

OSX/Shlayer is a Trojan designed to install adware on macOS. It was first discovered in 2018.[1][2]

ID: S0402
Associated Software: Crossrider
Type: MALWARE
Platforms: macOS
Version: 1.1
Created: 29 August 2019
Last Modified: 22 October 2020
Version Permalink

Associated Software Descriptions

Name Description
Crossrider

[3][4]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1548 .004 Abuse Elevation Control Mechanism: Elevated Execution with Prompt

OSX/Shlayer can escalate privileges to root by asking the user for credentials.[1]
Enterprise T1176 Browser Extensions

OSX/Shlayer can install malicious Safari browser extensions to serve ads.[3][4]
Enterprise T1059 .004 Command and Scripting Interpreter: Unix Shell

OSX/Shlayer can use bash scripts to check the macOS version and download payloads.[1]
Enterprise T1140 Deobfuscate/Decode Files or Information

OSX/Shlayer can base64-decode and AES-decrypt downloaded payloads.[1]
Enterprise T1222 .002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification

OSX/Shlayer can use the chmod utility to set a .app file as executable, and the spctl application to disable Gatekeeper protection for a downloaded file.[1].[1]
Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

OSX/Shlayer executes a .command script from a hidden directory in a mounted DMG.[1]
Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

OSX/Shlayer can masquerade as a Flash Player update.[1][2]
Enterprise T1082 System Information Discovery

OSX/Shlayer can collect the macOS version and IOPlatformUUID.[1]
Enterprise T1204 .002 User Execution: Malicious File

OSX/Shlayer relies on users mounting and executing a malicious DMG file.[1][2]

References

  1. Carbon Black Threat Analysis Unit. (2019, February 12). New macOS Malware Variant of Shlayer (OSX) Discovered. Retrieved August 8, 2019.
  2. Long, Joshua. (2018, February 21). OSX/Shlayer: New Mac malware comes out of its shell. Retrieved August 28, 2019.
  1. Vrijenhoek, Jay. (2018, April 24). New OSX/Shlayer Malware Variant Found Using a Dirty New Trick. Retrieved September 6, 2019.
  2. Reed, Thomas. (2018, April 24). New Crossrider variant installs configuration profiles on Macs. Retrieved September 6, 2019.