OSX/Shlayer
OSX/Shlayer is a Trojan designed to install adware on macOS. It was first discovered in 2018.[1][2]
Associated Software Descriptions
Name | Description |
---|---|
Crossrider |
Techniques Used
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1548 | .004 | Abuse Elevation Control Mechanism: Elevated Execution with Prompt |
OSX/Shlayer can escalate privileges to root by asking the user for credentials.[1] |
Enterprise | T1176 | Browser Extensions |
OSX/Shlayer can install malicious Safari browser extensions to serve ads.[3][4] |
|
Enterprise | T1059 | .004 | Command and Scripting Interpreter: Unix Shell |
OSX/Shlayer can use bash scripts to check the macOS version and download payloads.[1] |
Enterprise | T1140 | Deobfuscate/Decode Files or Information |
OSX/Shlayer can base64-decode and AES-decrypt downloaded payloads.[1] |
|
Enterprise | T1222 | .002 | File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification |
OSX/Shlayer can use the |
Enterprise | T1564 | .001 | Hide Artifacts: Hidden Files and Directories |
OSX/Shlayer executes a .command script from a hidden directory in a mounted DMG.[1] |
Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
OSX/Shlayer can masquerade as a Flash Player update.[1][2] |
Enterprise | T1082 | System Information Discovery |
OSX/Shlayer can collect the macOS version and IOPlatformUUID.[1] |
|
Enterprise | T1204 | .002 | User Execution: Malicious File |
OSX/Shlayer relies on users mounting and executing a malicious DMG file.[1][2] |