Shulou(Shulou.com)05/31 Report--

This article introduces you how to carry out MacOS malware Shlayer analysis, the content is very detailed, interested friends can refer to, hope to be helpful to you.

In the past two years, the Shlayer Trojan has been the most common malware on the Mac OS platform, and 1/10 of Mac OS users have been attacked by it, accounting for 30% of the attacks detected by the operating system. The first batch of samples was found in February 2018. Since then, nearly 32000 malicious samples of different Trojans have been collected and 143 CobC servers have been identified.

Since Shlayer was first discovered, the algorithm it uses has hardly changed, and its activity behavior has remained stable.

Technical details

From a technical point of view, Shlaye is a fairly common malware. Of all the variants, only the latest Trojan downloader OSX.Shlayer.e is different. Variants of this malware are written in Python and have different algorithms. The specific analysis is as follows (sample MD5:4d86ae25913374cfcb80a8d798b9016e):

The first stage of infection

After you install this DMG image, you will be prompted to run the installation file, which is an Python script.

The executable directory within the application package contains two Python scripts: GJPWVUUD847 DZQPYBI (main) and GoqWajdBuV6 (auxiliary). The latter is used to implement the data encryption function:

Next, the master script generates a unique user and system ID to collect information about the macOS version. Generate GET query parameters based on this data, and download the ZIP file:

The ZIP file downloaded to the / tmp/% (sessionID) directory is extracted to the / tmp/tmp directory using the unzip function:

ZIP contains the executable file 84cd5bba3870 application package:

After unzipping the file, the python script uses chmod to give the file 84cd5bba3870 permission to run on the system:

The sample uses the moveIcon and findVolumePath functions to copy the original DMG icon to the same directory as the newly downloaded application package:

Trojan programs use built-in tools to download and extract, and delete downloaded files and their extracted contents:

The second stage of infection

Shlayer itself only executes the initial phase of the attack, penetrates the system, loads payload and runs. A survey of AdWare.OSX.Cimpli shows its negative impact on users.

The Cimpli installer looks harmless and only provides installation:

But Cimpli actually performs operations that the user can't see. First, it installs a malicious extension in Safari to hide operating system security notifications behind malware spoofed windows. Click the button in the notification and the user agrees to install the extension.

One of the extensions is ManagementMark, which is detected as non-viral: HEUR:AdWare.Script.SearchExt.gen. It monitors the user search and redirects it to the address hxxp://lkysearchex41343-a.akamaihd [.] net/as?q=c:

The sample also loads the mitmdump tool packaged by PyInstaller. A special trusted certificate has been added to the system to allow mitmdump to view HTTPS traffic, and all user traffic is redirected to mitmdump's SOCKS5 agent.

All traffic passing through mitmdump (SearchSkilledData) is handled by the script SearchSkilledData.py (- s option):

This script redirects all user search queries to hxxp://lkysearchds3822-a.akamaihd [.] net. Cimpli is not Shlayer's only series of adware applications, but also includes AdWare.OSX.Bnodlero, AdWare.OSX.Geonei and AdWare.OSX.Pirrit.

Software communication

The spread of malware is an important part of its life cycle, and Shlayer has developed a number of solutions to solve this problem: are you looking for the latest episode of your favorite TV show? Want to watch the live broadcast of the football match? Be extra careful, because the chances of contracting Shlayer are high.

In most cases, the ad landing page takes the user to a carefully crafted fake page and installs malware at the Flash player update prompt.

A link to the malware download was found in the YouTube video description:

Shlayer in the footnote of the article:

According to WHOIS, they belong to the same person, and the total number of such domain names has exceeded 700.

Statistics show that Shlayer attacks are mainly targeted at US users (31 per cent), followed by Germany (14 per cent), France (10 per cent) and the UK (10 per cent). Almost all fake Flash Player download pages have English content.

Through the study of the Shlayer family, it can be concluded that the macOS platform is a good source of income for cybercriminals. Trojan links even exist on legitimate resources, and attackers are good at social engineering, making it difficult to predict how complex the next spoofing technique will be.

On how to carry out MacOS malware Shlayer analysis to share here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.