Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Инструмент OSX/Shlayer
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Инструмент
OSX/Shlayer
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

OSX/Shlayer

OSX/Shlayer is a Trojan designed to install adware on macOS that was first discovered in 2018.(Citation: Carbon Black Shlayer Feb 2019)(Citation: Intego Shlayer Feb 2018)
ID: S0402
Associated Software: Crossrider Zshlayer
Type: MALWARE
Platforms: Windows
Version: 1.3
Created: 29 Aug 2019
Last Modified: 19 Oct 2022

Associated Software Descriptions
Name Description
Crossrider (Citation: Intego Shlayer Apr 2018)(Citation: Malwarebytes Crossrider Apr 2018)
Zshlayer (Citation: sentinelone shlayer to zshlayer)

Techniques Used
Domain ID Name Use
Enterprise T1548 .004 Abuse Elevation Control Mechanism: Elevated Execution with Prompt

OSX/Shlayer can escalate privileges to root by asking the user for credentials.(Citation: Carbon Black Shlayer Feb 2019)
Enterprise T1059 .004 Command and Scripting Interpreter: Unix Shell

OSX/Shlayer can use bash scripts to check the macOS version, download payloads, and extract bytes from files. OSX/Shlayer uses the command sh -c tail -c +1381... to extract bytes at an offset from a specified file. OSX/Shlayer uses the curl -fsL "$url" >$tmp_path command to download malicious payloads into a temporary directory.(Citation: Carbon Black Shlayer Feb 2019)(Citation: sentinelone shlayer to zshlayer)(Citation: 20 macOS Common Tools and Techniques)(Citation: objectivesee osx.shlayer apple approved 2020)
Enterprise T1222 .002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification

OSX/Shlayer can use the chmod utility to set a file as executable, such as chmod 777 or chmod +x.(Citation: 20 macOS Common Tools and Techniques)(Citation: Carbon Black Shlayer Feb 2019)(Citation: Shlayer jamf gatekeeper bypass 2021)
Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

OSX/Shlayer has executed a .command script from a hidden directory in a mounted DMG.(Citation: Carbon Black Shlayer Feb 2019)
.009 Hide Artifacts: Resource Forking

OSX/Shlayer has used a resource fork to hide a compressed binary file of itself from the terminal, Finder, and potentially evade traditional scanners.(Citation: tau bundlore erika noerenberg 2020)(Citation: sentinellabs resource named fork 2020)

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

OSX/Shlayer can masquerade as a Flash Player update.(Citation: Carbon Black Shlayer Feb 2019)(Citation: Intego Shlayer Feb 2018)
Enterprise T1553 .001 Subvert Trust Controls: Gatekeeper Bypass

If running with elevated privileges, OSX/Shlayer has used the spctl command to disable Gatekeeper protection for a downloaded file. OSX/Shlayer can also leverage system links pointing to bash scripts in the downloaded DMG file to bypass Gatekeeper, a flaw patched in macOS 11.3 and later versions. OSX/Shlayer has been Notarized by Apple, resulting in successful passing of additional Gatekeeper checks.(Citation: Carbon Black Shlayer Feb 2019)(Citation: Shlayer jamf gatekeeper bypass 2021)(Citation: objectivesee osx.shlayer apple approved 2020)
Enterprise T1204 .002 User Execution: Malicious File

OSX/Shlayer has relied on users mounting and executing a malicious DMG file.(Citation: Carbon Black Shlayer Feb 2019)(Citation: Intego Shlayer Feb 2018)

References

  1. Carbon Black Threat Analysis Unit. (2019, February 12). New macOS Malware Variant of Shlayer (OSX) Discovered. Retrieved August 8, 2019.
  2. Long, Joshua. (2018, February 21). OSX/Shlayer: New Mac malware comes out of its shell. Retrieved August 28, 2019.
  3. Phil Stokes. (2020, September 8). Coming Out of Your Shell: From Shlayer to ZShlayer. Retrieved September 13, 2021.
  4. Reed, Thomas. (2018, April 24). New Crossrider variant installs configuration profiles on Macs. Retrieved September 6, 2019.
  5. Vrijenhoek, Jay. (2018, April 24). New OSX/Shlayer Malware Variant Found Using a Dirty New Trick. Retrieved September 6, 2019.
  6. Jaron Bradley. (2021, April 26). Shlayer malware abusing Gatekeeper bypass on macOS. Retrieved September 22, 2021.
  7. Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
  8. Patrick Wardle. (2020, August 30). Apple Approved Malware malicious code ...now notarized!? #2020. Retrieved September 13, 2021.
  9. Erika Noerenberg. (2020, June 29). TAU Threat Analysis: Bundlore (macOS) mm-install-macos. Retrieved October 12, 2021.
  10. Phil Stokes. (2020, November 5). Resourceful macOS Malware Hides in Named Fork. Retrieved October 12, 2021.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.