OSX/Shlayer

OSX/Shlayer is a Trojan designed to install adware on macOS. It was first discovered in 2018.[1][2]

ID: S0402
Associated Software: Crossrider
Type: MALWARE
Platforms: macOS
Version: 1.0

Associated Software Descriptions

Name Description
Crossrider [3][4]

Techniques Used

Domain ID Name Use
Enterprise T1176 Browser Extensions

OSX/Shlayer can install malicious Safari browser extensions to serve ads.[3][4]

Enterprise T1140 Deobfuscate/Decode Files or Information

OSX/Shlayer can base64-decode and AES-decrypt downloaded payloads.[1]

Enterprise T1089 Disabling Security Tools

OSX/Shlayer can disable Gatekeeper using the native spctl application.[1]

Enterprise T1514 Elevated Execution with Prompt

OSX/Shlayer can escalate privileges to root by asking the user for credentials.[1]

Enterprise T1222 File and Directory Permissions Modification

OSX/Shlayer can use the chmod utility to set a .app file as executable.[1]

Enterprise T1158 Hidden Files and Directories

OSX/Shlayer executes a .command script from a hidden directory in a mounted DMG.[1]

Enterprise T1036 Masquerading

OSX/Shlayer can masquerade as a Flash Player update.[1][2]

Enterprise T1064 Scripting

OSX/Shlayer can use bash scripts to check the macOS version and download payloads.[1]

Enterprise T1082 System Information Discovery

OSX/Shlayer can collect the macOS version and IOPlatformUUID.[1]

Enterprise T1204 User Execution

OSX/Shlayer relies on users mounting and executing a malicious DMG file.[1][2]

References