In 2019,
Kaspersky prevented attacks carried out by Shlayer, a malware Trojan family, at least once on every 10
th device
using Kaspersky Solutions for Mac, making this threat the most
widespread for macOS users. A smart malware distribution system, Shlayer
spreads via a partner network, entertainment websites and even
Wikipedia, demonstrating that even users who only visit legal sites
still need additional protection online.
Despite
macOS' reputation as a much safer and more secure system, there are
still cybercriminals trying their luck to profit from macOS users, and
Shlayer is a perfect example. It specializes in the installation of
adware - programs that terrorize users by feeding illicit ads,
intercepting and gathering users' browser queries, and modifying search
results to distribute even more advertising messages.
Shlayer's
share among all attacks on macOS devices registered by Kaspersky
products in January - November 2019 amounted to almost a third (29.28%),
with nearly all other top 10 macOS threats being the adware that
Shlayer installs: AdWare.OSX.Bnodlero, AdWare.OSX.Geonei,
AdWare.OSX.Pirrit and AdWare.OSX.Cimpli. Furthermore, ever since Shlayer
was first detected, its infection algorithm has hardly changed, even
though its activity barely decreased, making it an especially relevant
threat that users need protection from.
The
infection process often consists of two phases. First, the user
installs Shlayer, then the malware installs a selected type of adware.
Device infection, however, starts with an unwitting user downloading the
malicious program. In order to achieve installations, the threat actor
behind Shlayer set up a distribution system with a number of channels
leading users to download the malware.
Shlayer is offered as a way to monetize websites in a number of file partner programs,
with relatively high payment for each malware installation made by
American users, prompting over 1,000 "partner sites" to distribute
Shlayer. This scheme works as follows: a user looks for a TV series
episode or a sports broadcast, and advertising landing pages redirect
them to fake Flash Player update pages. From here, the victim would
download the malware. For every such installation, the partner who
distributed links to the malware receives a pay-per-install payment.
Other
schemes lead to a fake Adobe Flash update page redirecting users from
various large online services with multi-million-visitor audiences,
including YouTube, where links to the malicious website were included in
video descriptions, and Wikipedia, where such links were hidden in the
articles' references. Users that clicked on these links would also get
redirected to the Shlayer download landing pages. Kaspersky researchers
found 700 domains with malicious content, links to which were placed on a
variety of legitimate websites.
YouTube video and Wikipedia page with malicious links in description
Almost
all of the websites leading to a fake Flash Player contained content in
English. This corresponds with the top countries where users have been
affected by the threat - the USA (31%), Germany (14%), France (10%) and
the UK (10%).
Shlayer victims' geography, February 2018 - October 2019
"The
macOS platform is a good source of revenue for cybercriminals, who are
constantly looking for new ways to deceive users, and actively use
social engineering techniques to spread their malware," said Anton
Ivanov, Kaspersky security analyst. "This case demonstrates that such
threats can be found even on legitimate sites. Luckily for macOS users,
the most widespread threats that target macOS currently revolve around
feeding illicit advertising, rather than something more dangerous, such
as stealing financial data. A good web security solution can protect
users from threats such as these, making the experience of searching the
web safe and pleasant."
Kaspersky solutions detect Shlayer and its artefacts with the following verdicts:
- HEUR:Trojan-Downloader.OSX.Shlayer.*
- not-a-virus:HEUR:AdWare.OSX.Cimpli.*
- not-a-virus:AdWare.Script.SearchExt.*
- not-a-virus:AdWare.Python.CimpliAds.*
- not-a-virus:HEUR:AdWare.Script.MacGenerator.gen
Pages, artefacts and links for this Trojan family, as well as additional details of the findings, can be found on Securelist.com.
To reduce the risk of infection with Trojans such as Shlayer, Kaspersky recommends:
- Installing programs and updates only from trusted sources
- Finding
out more information about the entertainment website you are planning
to visit: scan its reputation on the internet and try to find feedback
on it
- Using a reliable security solution like Kaspersky Security Cloud that delivers advanced protection on Mac, as well as on PC and mobile devices