Report Suggests 10% of All Macs Attacked By Shlayer Trojan

Source: Bleeping Computer / Lawrence Abrams

January 25: Many people think that malware only targets Windows and that Macs are safe, but a new report shows how a single Apple malware called Shlayer has attacked over 10% of all Apple computers monitored by an antivirus company.

Instead of distributing the Shlayer Trojan via phishing attacks or through other malware, the threat actors focus on trending events or popular shows and then build fake web sites surrounding them.

These web sites have become so common that Kaspersky reports that 1 in 10, or 10%, of Apple computers, have been attacked by the Shlayer Trojan.

“In 2019, one in ten of our Mac security solutions encountered this malware at least once, and it accounts for almost 30% of all detections for this OS,” Kaspersky stated in their report.

Apple users visit these fake sites through search results, links in YouTube videos, and even links in Wikipedia articles. When visiting these sites, instead of being greeted with a video to watch, they are told they need to first update Flash Player.

Fake web site promoting the Shlayer Trojan
Fake web site promoting the Shlayer Trojan
Source: Kaspersky

These Flash Player updates, though, are the Shlayer Trojan and when executed will install a malware cocktail onto the computer.

The Shlayer Trojan installs other malware

When the Slayer Trojan is executed it will pretend to install the Adobe update and also include an offer like the BlueStacks App Player shown below.

Offer installed by Shlayer
Offer installed by Shlayer
Source: Kaspersky

What victims do not realize, though, is that regardless of whether you press Skip or Next, the Shlayer Trojan will quietly install further malware infections on the computer.

First, it installs a malicious browser extension into Safari that monitors your search and browsing activity and redirects you to other search engines.  This extension is installed without your permission through fake alert overlays that when clicked on, tell macOS that it should allow the extension to install.

Extension code
Extension code
Source: Kaspersky

Next, it will install the mitmdump proxy software under the name ‘SearchSkilledData’ and install a trusted certificate so it can analyze and modify HTTPS traffic. The browser will then be configured to send all traffic through this proxy.

mitmdump running as SearchSkilledData
mitmdump running as SearchSkilledData
Source: Kaspersky

This will allow the malware to inject advertisements into any web page, monitor browser traffic, and inject scripts into web sites that you visit.

Even worse, it allows them to analyze and modify all traffic, even encrypted traffic such as online banking, logging into email, or any other secure activity.

How to protect yourself against Shlayer

Unfortunately, this operation is a global threat with victims throughout the world and lion share being located in the USA.

To protect yourself, Apple users should install reliable antivirus software and perform good web surfing habits.

When browsing the web, if any site states that you must install an update to watch a video or perform an activity, immediately leave that site.

These types of sites are almost always trying to push something unwanted on you.

Source: Bleeping Computer / Lawrence Abrams

Previous Article
Next Article