Delaware, USA – January 28, 2020 – Over the past year, the Shlayer trojan targeted about 30% of Apple computers in the United States, taking the lead in the macOS malware charts. The Trojan was first discovered at the beginning of 2018 exploiting the confidence of Apple users that there are very little malware families for their systems. Last week, Kaspersky Lab reported on this threat spreading via fake applications that hide its malicious code. Attackers use Shlayer to install various malware placing a premium on adware variants. The next-stage payloads flood users’ devices with unsolicited ads and intercepts browser searches modifying the results to promote more ads.
“We noticed at once several file partner programs in which Shlayer was offered as a monetization tool,” – reports Kaspersky Lab. “Having analyzed various offers, we identified a general trend: Shlayer stands out from the field for the relatively high installation fee (though only installations performed by US-based users count). The prospect of a juicy profit likely contributed to the popularity of the offer (we counted more than 1000 partner sites distributing Shlayer).” When victims visit lure sites they are told they need to install the trojan pretended to be the Flash Player update.
Unfortunately, macOS systems are increasingly attracting the attention of cybercriminals, including such notorious groups as Lazarus. You can spot Gatekeeper bypass attempts with threat hunting Sigma rule available on Threat Detection Marketplace: https://tdm.socprime.com/tdm/info/qbsVviAxfJhN/