New Mac malware detected. Thousands of Apple users infected each day

During 2019, network security specialists from Kaspersky issued reports on thousands of infections of Shlayer, a new Trojan family, managing to prevent attacks on one in ten Mac devices. Although it appeared that the threat had been contained, recent reports claim that the malware remains active.

In its report, Kaspersky mentions that attackers employ an ingenious method of distribution, deploying Shlayer through associated networks, entertainment websites and even via Wikipedia, so not only users who browse insecure websites are exposed, but this malware could also reach visitors from legitimate pages. 

Although macOS is considered a much more secure system than other widely used options, many groups of threat actors manage to develop methods of attack against users of this system and, over the past year, Shlayer infections were an important example of this trend.

Kaspersky’s network security experts claim that Shlayer was the most active malware on any Apple system; Dedicated to the installation of adware, Shlayer collects searches in the browser to subsequently alter the results displayed to the target user in order to display more invasive advertisements.

Regarding the infection process, Kaspersky detected that it is divided into two phases:

  • Installing Shlayer and installing a specific adware variant
  • Download the malware; for this, the attacker must force the victim to perform the download using the malware’s distribution system

Threat actors often offer Shlayer as an option to monetize websites as part of a partner program, in addition to insuring website administrators that they will receive a relatively high payment for each installation of this adware.

According to Kaspersky network security experts, the scheme works as follows:

  • The potential victim searches for online content (streaming sporting events, movies on pirate sites, etc.)
  • Associated pages redirect the user to fake Flash Player update pages
  • Once on the fake page, the victim downloads the malware

However, this is not the only way to complete the infection. Attackers have also managed to place links to the fake Adobe Flash page on legitimate platforms such as video descriptions on YouTube or references in Wikipedia articles. In total, Kaspersky detected 700 domains (legitimate and illegal) with links to the malware download site.

Malicious link in the references section on Wikipedia
SOURCE: Kaspersky

Although most of Shlayer activity is concentrated in the United States, a considerable number of attacks have also been detected in Germany, France, the United Kingdom and other European countries.

International Institute of Cyber Security (IICS) network security specialists believe attacks on macOS system users to be a significant profit for attackers, especially through engineering campaigns easy to deploy even through legitimate platforms. Fortunately it’s not all bad news, as experts say that users of this operating system are less exposed to data theft incidents than users of their counterparts, although it could be a great idea to consider using other data security method.