OSX/Shlayer
Associated Software Descriptions |
|
Name | Description |
---|---|
Crossrider | (Citation: Intego Shlayer Apr 2018)(Citation: Malwarebytes Crossrider Apr 2018) |
Zshlayer | (Citation: sentinelone shlayer to zshlayer) |
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1548 | .004 | Abuse Elevation Control Mechanism: Elevated Execution with Prompt |
OSX/Shlayer can escalate privileges to root by asking the user for credentials.(Citation: Carbon Black Shlayer Feb 2019) |
Enterprise | T1059 | .004 | Command and Scripting Interpreter: Unix Shell |
OSX/Shlayer can use bash scripts to check the macOS version, download payloads, and extract bytes from files. OSX/Shlayer uses the command |
Enterprise | T1222 | .002 | File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification |
OSX/Shlayer can use the |
Enterprise | T1564 | .001 | Hide Artifacts: Hidden Files and Directories |
OSX/Shlayer has executed a .command script from a hidden directory in a mounted DMG.(Citation: Carbon Black Shlayer Feb 2019) |
.009 | Hide Artifacts: Resource Forking |
OSX/Shlayer has used a resource fork to hide a compressed binary file of itself from the terminal, Finder, and potentially evade traditional scanners.(Citation: tau bundlore erika noerenberg 2020)(Citation: sentinellabs resource named fork 2020) |
||
.011 | Hide Artifacts: Ignore Process Interrupts |
OSX/Shlayer has used the `nohup` command to instruct executed payloads to ignore hangup signals.(Citation: Shlayer jamf gatekeeper bypass 2021) |
||
Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
OSX/Shlayer can masquerade as a Flash Player update.(Citation: Carbon Black Shlayer Feb 2019)(Citation: Intego Shlayer Feb 2018) |
Enterprise | T1553 | .001 | Subvert Trust Controls: Gatekeeper Bypass |
If running with elevated privileges, OSX/Shlayer has used the |
Enterprise | T1204 | .002 | User Execution: Malicious File |
OSX/Shlayer has relied on users mounting and executing a malicious DMG file.(Citation: Carbon Black Shlayer Feb 2019)(Citation: Intego Shlayer Feb 2018) |
References
- Carbon Black Threat Analysis Unit. (2019, February 12). New macOS Malware Variant of Shlayer (OSX) Discovered. Retrieved August 8, 2019.
- Long, Joshua. (2018, February 21). OSX/Shlayer: New Mac malware comes out of its shell. Retrieved August 28, 2019.
- Phil Stokes. (2020, September 8). Coming Out of Your Shell: From Shlayer to ZShlayer. Retrieved September 13, 2021.
- Reed, Thomas. (2018, April 24). New Crossrider variant installs configuration profiles on Macs. Retrieved September 6, 2019.
- Vrijenhoek, Jay. (2018, April 24). New OSX/Shlayer Malware Variant Found Using a Dirty New Trick. Retrieved September 6, 2019.
- Jaron Bradley. (2021, April 26). Shlayer malware abusing Gatekeeper bypass on macOS. Retrieved September 22, 2021.
- Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
- Patrick Wardle. (2020, August 30). Apple Approved Malware malicious code ...now notarized!? #2020. Retrieved September 13, 2021.
- Erika Noerenberg. (2020, June 29). TAU Threat Analysis: Bundlore (macOS) mm-install-macos. Retrieved October 12, 2021.
- Phil Stokes. (2020, November 5). Resourceful macOS Malware Hides in Named Fork. Retrieved October 12, 2021.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.