A new type of Mac malware that spreads via malicious Google search results has been discovered by Mac antivirus maker Intego.
The malware can slip past several Apple security protections and antivirus software under the guise of Adobe Flash Player updates.
This is a new variant of the Shlayer malware that Intego discovered in 2018 and has been wreaking havoc on Mac OS users ever since. Kaspersky estimates that Shlayer is responsible for 30% of all Mac malware attacks in 2019.
In a blog post, Intego Chief Security Analyst Joshua Long described how this new variant, like previous versions of Shlayer, appears as an Adobe Flash Player installer.
He says: "When the deceptive Flash Player installer is downloaded and opened on the victim's Mac, a disk image is mounted and instructions on how to install are displayed. The instructions instruct the user to first 'right-click' on the flashInstaller and select 'Open,' then click 'Open' in the dialog box that appears."
The instructions also tell the user to "click on the 'Open' button to open the Flash Player installer.At this point, however, it takes a different route than the previous Shlayer variants.
"When the user follows the instructions, an "installer application" is launched. "The installer has a Flash Player icon and looks like a normal Mac app, but is actually a bash shell script that opens and executes itself briefly in a terminal app.
The bash shell is a Unix-compatible command prompt framework, but the resulting Terminal window is very fast, "instantaneous," Long writes.
To trick the user, a real Adobe Flash Player installer is downloaded to the user's Mac. Because the installer is "signed" with Adobe's Apple developer signature, it bypasses the gatekeeper program that screens out unsigned software.
Meanwhile, this shell script also installs a hidden downloader that can install more malware and adware. 19]
Long hides the downloader inside a password-protected .zip file and then adds it to a bash shell Long described the developers' decision to hide the downloader in a password-protected .zip file and then in a bash shell script as a novel idea and "clear evidence"
that they are "trying to evade detection by antivirus software."
Long explained that the Intego research team encountered this new Shlayer when they searched for YouTube videos on Google. After clicking on the malicious search result, they were presented with a page warning them that they needed to update their Flash Player.
"The same thing can happen on any search engine, including Bing, Yahoo!
The scammers used deceptive warnings and fake dialog boxes to get people to download updated versions of Flash, which is actually malware. (Earlier versions of Shlayer tended to use online ads rather than search engine results to lure victims to malicious pages.)
Intego then contacted Google to make it aware of the malicious search results and claimed that its antivirus could only address such malware.
To protect yourself from Shlayer and similar Mac malware, do not update or install Adobe Flash Player; Flash is becoming obsolete and is no longer used by many websites.
Normally, we would tell you that the best Mac antivirus software will protect you from this new threat, but as Intego's blog post points out, the antivirus malware scanning engines listed on VirusTotal of the antivirus malware scanning engines listed on VirusTotal have yet to detect this new Shlayer variant.
Comments