Shlayer is a piece of malware that exclusively targets macOS systems. It’s been making the rounds since at least February 2018, primarily by masquerading as an Adobe Flash Player update, although it occasionally mimics other application installers as well.
These fake installers are mostly being delivered by peer-to-peer torrent sites and via malvertising. Once Shlayer infects its host, it attempts to install adware, including “OSX/MacOffers” (aka “AdLord” or “Mugthesec”) and “OSX/Bundlore.”
While a lot has been written about Shlayer, there is a lack of good information about how security teams can remove it from their environments. Shlayer may seem like a relatively straightforward vehicle for delivering adware. However, we’ve learned through experience (and anecdotally from customers) that it can be difficult to remove. Beyond that, Shlayer infections are commonplace in environments with a heavy macOS presence, so it’s safe to assume that many organizations are struggling with Shlayer.
To that point, Shlayer ultimately delivers strains of adware that establish persistence through a variety of different means. Given this, there is no one-size-fits-all guidance for remediation and removal. As such, we’re releasing some information that you can use to detect—and respond accordingly—if Shlayer or any associated adware has gained a foothold in your environment.