OSX/Shlayer
OSX/Shlayer is a Trojan designed to install adware on macOS. It was first discovered in 2018.[1][2]
Associated Software Descriptions
| Name | Description |
|---|---|
| Crossrider | [3][4] |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| Enterprise | T1176 | Browser Extensions |
OSX/Shlayer can install malicious Safari browser extensions to serve ads.[3][4] |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information |
OSX/Shlayer can base64-decode and AES-decrypt downloaded payloads.[1] |
| Enterprise | T1089 | Disabling Security Tools |
OSX/Shlayer can disable Gatekeeper using the native |
| Enterprise | T1514 | Elevated Execution with Prompt |
OSX/Shlayer can escalate privileges to root by asking the user for credentials.[1] |
| Enterprise | T1222 | File and Directory Permissions Modification |
OSX/Shlayer can use the |
| Enterprise | T1158 | Hidden Files and Directories |
OSX/Shlayer executes a .command script from a hidden directory in a mounted DMG.[1] |
| Enterprise | T1036 | Masquerading |
OSX/Shlayer can masquerade as a Flash Player update.[1][2] |
| Enterprise | T1064 | Scripting |
OSX/Shlayer can use bash scripts to check the macOS version and download payloads.[1] |
| Enterprise | T1082 | System Information Discovery |
OSX/Shlayer can collect the macOS version and IOPlatformUUID.[1] |
| Enterprise | T1204 | User Execution |
OSX/Shlayer relies on users mounting and executing a malicious DMG file.[1][2] |