Carbon Black Identifies New Shlayer Malware Targeting Macs

Researchers at Carbon Black have identified a new Shlayer malware variant that targets Mac computers running MacOS versions 10.10.5 to 10.14.3.

The researchers first identified the OrA new Shlayer malware variant a year ago. Mac computers and disables macOS Gatekeeper security software.

The threat actors spread the malware by distributing fake Flash Player updates. When users visit certain websites, a warning is displayed advising users to update their Flash Player as their current version requires an urgent security update.

The researchers first identified the OrA new Shlayer malware variant a year ago; this campaign predominantly targeted users visiting BitTorrent websites. The most recent attack utilises malvertising to distribute the software. Malvertising is the practice of using online advertising to spread malware; the ads may appear on legitimate websites and look completely authentic. When the user clicks the ad, the malware infiltrates their system. 

Once the user falls for the hacker’s scheme, the malware is delivered in a DMG, ISO, PKG, or ZIP file. Carbon Black notes that the DMG file is signed with a legitimate Apple developer ID which avoids the generation of warnings. When the user executes the code, they launch a hidden command script, which in turn decrypts a second script. A further script installs the malicious payload.

The malware harvests system information and creates a custom ID. Then, it downloads a second stage payload – an app file – from a remote URL and  the system executes the file.

Shlayer malware gains root privileges and tries to download additional malicious software. While analysing the code, Carbon Black discovered additional adware on the infected device. 

The malware also disables macOS security software, Gatekeeper, using spctl, which allows additional payloads to be run undetected and without any user interaction.    

The threat actors only targeted a small number of individuals during that use Torrents sites during the initial campaign. The latest attack had a much broader scope, as the malvertising targets people who are visiting a wide variety of website.

If a Flash Player ad appears on your browser, visit the official Adobe website to check whether an update is required. Never download software updates in response to warnings received when browsing the internet.

The identity of the threat actor behind this campaign is still unknown.

About Christine Garcia 1297 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at