MacOS Trojan disables Gatekeeper to deploy malicious payloads

Shlayer has been spreading as a fake Adobe Flash update.
Written by Charlie Osborne, Contributing Writer

Researchers have uncovered a new variant of the Shlayer macOS malware which is able to disable Gatekeeper after infecting a system to deploy unsigned payloads.

This week, cybersecurity researchers from Carbon Black's Threat Analysis Unit (TAU) team said that the latest version of the malware is primarily disguised as a fake Adobe Flash updater and has been spreading via malicious websites, hijacked domains, and malvertising.

Three variants of Shlayer were first discovered by Intego in 2018 on BitTorrent file sharing sites. 

The Trojan leveraged shell scripts to download malicious payloads and adware, most often acting as a dropper for OSX/MacOffers -- BundleMeUp, Mughthesec, and Adload -- as well as the OSX/Bundlore adware.

The new Shlayer samples affect Apple macOS Mojave versions 10.10.5 to 10.14.3. It is not believed that other operating systems, such as Microsoft Windows, are impacted.

Shlayer uses code signing -- a cryptographic digital signature ascribed to software -- in order to bypass Gatekeeper protections. Developers under the Apple Developer Program are able to sign their apps to prove legitimacy, but unfortunately, the process is used by genuine app creators and threat actors alike.

The new malware variants arrive on victim systems as DMG files through .PKG, .ISO, and .ZIP payloads which are signed off using this technique.  

See also: This Trojan exploits antivirus software to steal your data

Once the .DMG file has been installed, a .command script is executed from a hidden directory which decrypts a second script -- containing yet another script -- which is then finally executed.

The script will then collect information relating to the system, including macOS version and unique identifiers, before generating a session GUID and attempting to escalate its privilege level to root with sudo using a technique discussed by researcher Patrick Wardle at Defcon 2017.

TechRepublic: How to protect and secure your web browsing with the Brave browser

Once these privileges have been escalated, the script will attempt to disable Gatekeeper using spctl and download additional payloads, generally thought to be adware, just as in the case of past Shlayer variants.  

"This allows the whitelisted software to run without user intervention even if the system is set to disallow unknown applications downloaded from the Internet," TAU says. "Furthermore, many of the payloads contained within the second stage download are signed with a valid developer ID."

CNET: Government watchdog finds weak enforcement of US privacy regulations

While adware may not seem like anything more than a nuisance, such software -- as well as the Trojan's unfettered ability to download other payloads -- can be a serious threat to your privacy and security. If the threat actors chose, they could, for example, download malware which could damage systems, cryptocurrency miners, or ransomware.

TAU has provided an indicator of compromise (IOC) list on GitHub.

Earlier this month, developer Jeff Johnson revealed a bug in an API used by macOS Mojave which grants access to Safari browsing data without folder protections. Apple has acknowledged the problem. 

Last-minute tech gifts and gadgets for your Valentine

Previous and related coverage

Editorial standards