During 2019, network security specialists from Kaspersky issued reports on thousands of infections of Shlayer, a new Trojan family, managing to prevent attacks on one in ten Mac devices. Although it appeared that the threat had been contained, recent reports claim that the malware remains active.
In its report, Kaspersky mentions that attackers
employ an ingenious method of distribution, deploying Shlayer through
associated networks, entertainment websites and even via Wikipedia, so not only
users who browse insecure websites are exposed, but this malware could also
reach visitors from legitimate pages.
Although macOS is considered a much more secure system than other widely used options, many groups of threat actors manage to develop methods of attack against users of this system and, over the past year, Shlayer infections were an important example of this trend.
Kaspersky’s network security experts claim that
Shlayer was the most active malware on any Apple system; Dedicated to the
installation of adware, Shlayer collects searches in the browser to
subsequently alter the results displayed to the target user in order to display
more invasive advertisements.
Regarding the infection process, Kaspersky
detected that it is divided into two phases:
Shlayer and installing a specific adware variant
the malware; for this, the attacker must force the victim to perform the
download using the malware’s distribution system
Threat actors often offer Shlayer as an option
to monetize websites as part of a partner program, in addition to insuring
website administrators that they will receive a relatively high payment for
each installation of this adware.
According to Kaspersky network security
experts, the scheme works as follows:
potential victim searches for online content (streaming sporting events, movies
on pirate sites, etc.)
pages redirect the user to fake Flash Player update pages
on the fake page, the victim downloads the malware
However, this is not the only way to complete the infection. Attackers have also managed to place links to the fake Adobe Flash page on legitimate platforms such as video descriptions on YouTube or references in Wikipedia articles. In total, Kaspersky detected 700 domains (legitimate and illegal) with links to the malware download site.
Although most of Shlayer activity is
concentrated in the United States, a considerable number of attacks have also
been detected in Germany, France, the United Kingdom and other European
International Institute of Cyber Security
(IICS) network security specialists believe attacks on macOS system users to be
a significant profit for attackers, especially through engineering campaigns
easy to deploy even through legitimate platforms. Fortunately it’s not all bad
news, as experts say that users of this operating system are less exposed to
data theft incidents than users of their counterparts, although it could be a
great idea to consider using other data security method.