Skip Navigation
Get a Demo
 
 
 
 
 
 
 
 
 
Resources Blog Threat detection

Shutting Down OSX/Shlayer

Tony Lambert
Originally published . Last modified .

Shlayer is a piece of malware that exclusively targets macOS systems. It’s been making the rounds since at least February 2018, primarily by masquerading as an Adobe Flash Player update, although it occasionally mimics other application installers as well.

These fake installers are mostly being delivered by peer-to-peer torrent sites and via malvertising. Once Shlayer infects its host, it attempts to install adware, including “OSX/MacOffers” (aka “AdLord” or “Mugthesec”) and “OSX/Bundlore.”

Mitigation Techniques

While a lot has been written about Shlayer, there is a lack of good information about how security teams can remove it from their environments. Shlayer may seem like a relatively straightforward vehicle for delivering adware. However, we’ve learned through experience (and anecdotally from customers) that it can be difficult to remove. Beyond that, Shlayer infections are commonplace in environments with a heavy macOS presence, so it’s safe to assume that many organizations are struggling with Shlayer.

To that point, Shlayer ultimately delivers strains of adware that establish persistence through a variety of different means. Given this, there is no one-size-fits-all guidance for remediation and removal. As such, we’re releasing some information that you can use to detect—and respond accordingly—if Shlayer or any associated adware has gained a foothold in your environment.

 

A defender’s guide to identity attacks

 

Single sign-on, double trouble: Credential theft using AWS access tokens

 

The three keys to threat hunting

 

The dark cloud around GCP service accounts

Subscribe to our blog

 
 
Back to Top