Register to stream the next session of ATT&CKcon Power Hour November 12

SOFTWARE

Android/Chuli.A

ANDROIDOS_ANSERVER.A

AutoIt backdoor

Backdoor.Oldrea

Exaramel for Linux

Exaramel for Windows

Hacking Team UEFI Rootkit

Imminent Monitor

Olympic Destroyer

OSX_OCEANLOTUS.D

Pass-The-Hash Toolkit

Pegasus for Android

Pegasus for iOS

ShimRatReporter

Trojan-SMS.AndroidOS.Agent.ao

Trojan-SMS.AndroidOS.FakeInst.a

Trojan-SMS.AndroidOS.OpFake.a

Trojan.Karagany

Windows Credential Editor

Winnti for Linux

Winnti for Windows

X-Agent for Android

SOFTWARE

1-9

A-B

Android/Chuli.A

ANDROIDOS_ANSERVER.A

AutoIt backdoor

Backdoor.Oldrea

C-D

E-F

Exaramel for Linux

Exaramel for Windows

G-H

Hacking Team UEFI Rootkit

I-J

Imminent Monitor

K-L

M-N

O-P

Olympic Destroyer

OSX_OCEANLOTUS.D

Pass-The-Hash Toolkit

Pegasus for Android

Pegasus for iOS

Q-R

S-T

ShimRatReporter

Trojan-SMS.AndroidOS.Agent.ao

Trojan-SMS.AndroidOS.FakeInst.a

Trojan-SMS.AndroidOS.OpFake.a

Trojan.Karagany

U-V

W-X

Windows Credential Editor

Winnti for Linux

Winnti for Windows

X-Agent for Android

Y-Z

OSX/Shlayer

OSX/Shlayer is a Trojan designed to install adware on macOS. It was first discovered in 2018.^[1]^[2]

ID: S0402

Associated Software: Crossrider

Type: MALWARE

Platforms: macOS

Version: 1.1

Created: 29 August 2019

Last Modified: 18 March 2020

Version Permalink

Live Version

Associated Software Descriptions

Name	Description
Crossrider	^[3]^[4]

Techniques Used

Domain	ID		Name	Use
Enterprise	T1548	.004	Abuse Elevation Control Mechanism: Elevated Execution with Prompt	OSX/Shlayer can escalate privileges to root by asking the user for credentials.^[1]
Enterprise	T1176		Browser Extensions	OSX/Shlayer can install malicious Safari browser extensions to serve ads.^[3]^[4]
Enterprise	T1059	.004	Command and Scripting Interpreter: Unix Shell	OSX/Shlayer can use bash scripts to check the macOS version and download payloads.^[1]
Enterprise	T1140		Deobfuscate/Decode Files or Information	OSX/Shlayer can base64-decode and AES-decrypt downloaded payloads.^[1]
Enterprise	T1222	.002	File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification	OSX/Shlayer can use the `chmod` utility to set a .app file as executable.^[1]
Enterprise	T1564	.001	Hide Artifacts: Hidden Files and Directories	OSX/Shlayer executes a .command script from a hidden directory in a mounted DMG.^[1]
Enterprise	T1562	.001	Impair Defenses: Disable or Modify Tools	OSX/Shlayer can disable Gatekeeper using the native `spctl` application.^[1]
Enterprise	T1036	.005	Masquerading: Match Legitimate Name or Location	OSX/Shlayer can masquerade as a Flash Player update.^[1]^[2]
Enterprise	T1082		System Information Discovery	OSX/Shlayer can collect the macOS version and IOPlatformUUID.^[1]
Enterprise	T1204	.002	User Execution: Malicious File	OSX/Shlayer relies on users mounting and executing a malicious DMG file.^[1]^[2]

References