The attack avoids antivirus detection & tricks users into bypassing protection from Apple’s built-in macOS security, Intego has now found out.
Mac security software company Intego observed that since Jun. 12 a new malware installer had a detection rate among all antivirus engines on VirusTotal of, a 0/60 detection rate among all antivirus engines on VirusTotal.
In a blog post, they identified the new malware as unique new variants of OSX/Shlayerand OSX/Bundlore (similar to previous versions of OSX/MacOffers and Mughthesec/BundleMeUp/Adload).
The updated Shlayer malware is ‘delivered’ as a Trojan horse application on a .dmg disk image, pretending to be an Adobe Flash Player installer.
Sarb Sembhi, CTO & CISO, Virtually Informed observed: “This malware seems to have all the important hallmarks criminals like: Mac owners are thought to be more wealthy than other device owners; Mac owners trust their devices and believe that the device will protect them.
“The malware writers have taken previous Mac malware & learnt from it on how they can abuse trust in the right way.”
Sembhi then added that toto learn from past malware incidents, significant advances in any malware must be seen as a test for the future..
“…most development is iterative & malware has not been much different, whether the iteration is from the original author or a copycat, the fact is that the approach, techniques or methods used will be used again,” he explained.
“Although we are still in the early days of Mac malware, users shouldn’t assume it doesn’t exist, or that they won’t be affected, & they should pay attention to the messages from the operating system where they are given options to accept opening such apps – Don’t! Or the warning will be reality, you will be infected.”
Intego stated that VirusBarrier X9 is the first anti-malware solution that is known to detect and remove this malware.
It appears on a victim’s Mac with a “censored” appearance so that after a deceptive Flash Player installer is downloaded, the disk image will mount and display instructions on how to install it.
It gives instructions asking the user to right-click on the flashInstaller & click ‘Open’ in the dialogue box.
.zip archive file
The malware extracts a self-embedded, password protected .zip archive file as the script runs with a malicious Mac .app bundle.
This is installed in a hidden temporary folder before it quits the Terminal, all within a second.
Now the malware downloads a legitimate, Adobe-signed Flash Player installer & appears genuine, with hidden Mac app able to download any other Mac malware or adware package, depending on what those controlling the servers want to do.
Dan Sloshberg, Cyber Resilience Expert at Mimecast commented that this type of attack is another great example of how cybercriminals are modifying their attack methodologies to prey on peoples’ trust of well-known brands – in this case Adobe Flash Player.
Sloshberg commented “Brand spoofing is becoming more common, with our State of Email Security report finding that 51%of respondents have seen an increase in the volume of email-based spoofing of well-known internet brands.
“What is apparent is that defending against malware is a constant battle, hackers are continuously refining malware to get around established security. Despite this continuous threat, our State of Email Security report also found that 39% of organisations still do not have a system in place for monitoring and protecting against malware attacks.”
He added that this discovery should act as a reminder that people should be extremely cautious of installing any software unless they have directly gone onto a reputable software vendor site & done so themselves.
“It’s best to always ignore any prompt requests of this nature that may appear when surfing the web. Individuals may have a flawed sense of security that because they are using a Mac they can regard themselves as safe, however, this attack goes to show that this is no longer accurate.
“It’s also evident that you can’t rely wholly on endpoint AV solutions to protect you from these types of attacks & that more needs to be done.”
The malware spreads while searching Google for the exact titles of YouTube video.
Intego’s research team found Google search results that click through multiple redirection sites to a page that says a Flash Player is out of date.
Fake warnings entice a victim to download what is believed to be a Flash Player update, which in reality is a Trojan horse.
Martin Jartelius, CSO at Outpost24 observed “This is a rather gross misrepresentation. The threat actor names pages with popular YouTube videos exact names, to become a good match & this points to a malware file instead.
“Google is not at error, & the visitors are fooled to install the malware, so it is a Trojan horse distributed by fooling users, like email phishing this is search results-based phishing. Interesting as such. But Google search is as safe as ever. That is, it helps you find stuff on the Internet, but it is full of bad things. So, browse with caution.”
Also, new research from Sophos has shown how the aggressive threat from a clever version of bundleware is able to drop a total of 7 “potentially unwanted applications” (PUAs) under the guise of installing one legitimate application. Research shows the following too:
- Bundlore is the 2nd most common threat to MacOS Catalina users – behind almost 7% of attacks against the MacOS platform says Sophos
- Bundlore has been updated to adapt to recent changes to MacOS & Safari.
- Clever adware developers are exploiting victims to make money from redirecting users to steal clicks
- Bundlore also opens victims up to malvertising, using PUAs to inject ads on webpages visited by the victim – in at least 1 case, this prompted the download of a fake Adobe Flash update.