The sub-techniques beta is now live! Read the release blog post for more info.
SOFTWARE
SOFTWARE
1-9
A-B
C-D
E-F
G-H
I-J
K-L
M-N
O-P
Q-R
S-T
U-V
W-X
Y-Z
  1. Home
  2. Software
  3. OSX/Shlayer

OSX/Shlayer

OSX/Shlayer is a Trojan designed to install adware on macOS. It was first discovered in 2018.[1][2]

ID: S0402
Associated Software: Crossrider
Type: MALWARE
Platforms: macOS
Version: 1.0
Created: 29 August 2019
Last Modified: 14 October 2019

Associated Software Descriptions

Name Description
Crossrider [3][4]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1176 Browser Extensions

OSX/Shlayer can install malicious Safari browser extensions to serve ads.[3][4]
Enterprise T1140 Deobfuscate/Decode Files or Information

OSX/Shlayer can base64-decode and AES-decrypt downloaded payloads.[1]
Enterprise T1089 Disabling Security Tools

OSX/Shlayer can disable Gatekeeper using the native spctl application.[1]
Enterprise T1514 Elevated Execution with Prompt

OSX/Shlayer can escalate privileges to root by asking the user for credentials.[1]
Enterprise T1222 File and Directory Permissions Modification

OSX/Shlayer can use the chmod utility to set a .app file as executable.[1]
Enterprise T1158 Hidden Files and Directories

OSX/Shlayer executes a .command script from a hidden directory in a mounted DMG.[1]
Enterprise T1036 Masquerading

OSX/Shlayer can masquerade as a Flash Player update.[1][2]
Enterprise T1064 Scripting

OSX/Shlayer can use bash scripts to check the macOS version and download payloads.[1]
Enterprise T1082 System Information Discovery

OSX/Shlayer can collect the macOS version and IOPlatformUUID.[1]
Enterprise T1204 User Execution

OSX/Shlayer relies on users mounting and executing a malicious DMG file.[1][2]

References

  1. Carbon Black Threat Analysis Unit. (2019, February 12). New macOS Malware Variant of Shlayer (OSX) Discovered. Retrieved August 8, 2019.
  2. Long, Joshua. (2018, February 21). OSX/Shlayer: New Mac malware comes out of its shell. Retrieved August 28, 2019.
  1. Vrijenhoek, Jay. (2018, April 24). New OSX/Shlayer Malware Variant Found Using a Dirty New Trick. Retrieved September 6, 2019.
  2. Reed, Thomas. (2018, April 24). New Crossrider variant installs configuration profiles on Macs. Retrieved September 6, 2019.