February 28, 2019 Detection and response
Tony Lambert

Shutting Down OSX/Shlayer

Shlayer is a piece of malware that exclusively targets macOS systems. It’s been making the rounds since at least February 2018, primarily by masquerading as an Adobe Flash Player update, although it occasionally mimics other application installers as well.

These fake installers are mostly being delivered by peer-to-peer torrent sites and via malvertising. Once Shlayer infects its host, it attempts to install adware, including “OSX/MacOffers” (aka “AdLord” or “Mugthesec”) and “OSX/Bundlore.”

Mitigation Techniques

While a lot has been written about Shlayer, there is a lack of good information about how security teams can remove it from their environments. Shlayer may seem like a relatively straightforward vehicle for delivering adware. However, we’ve learned through experience (and anecdotally from customers) that it can be difficult to remove. Beyond that, Shlayer infections are commonplace in environments with a heavy macOS presence, so it’s safe to assume that many organizations are struggling with Shlayer.

To that point, Shlayer ultimately delivers strains of adware that establish persistence through a variety of different means. Given this, there is no one-size-fits-all guidance for remediation and removal. As such, we’re releasing some information that you can use to detect—and respond accordingly—if Shlayer or any associated adware has gained a foothold in your environment.

 

Detecting SharePoint attacks via worker process activity

 

Using visibility to gather context and find persistence mechanisms

 

Advanced persistence threats: to be a cybercriminal, think like a sysadmin

 

It’s all fun and games until ransomware deletes the shadow copies

Subscribe to our blog