Editors’ note: While the analysis and detection opportunities remain applicable, this page has not been updated since 2021.
Shlayer is a macOS malware family associated with ad fraud activity through the distribution of adware applications. The trojan masquerades as an installer for applications like Adobe Flash Player and executes numerous macOS commands to deobfuscate code and install adware with persistence mechanisms. In August 2020, Objective-See reported that Shlayer was the first malicious code to be notarized by Apple, granting it privileges to execute with default configurations of macOS Gatekeeper. Shlayer commonly delivers payloads such as AdLoad and Bundlore. Bundlore is frequently delivered as a second-stage payload, which often results in overlaps in public reporting in which certain TTPs are tracked under Bundlore by some teams and under Shlayer by others. Shlayer and Bundlore are similar but have slightly different download, execution, and deobfuscation patterns that all involve
openssl with certain command lines.
Tweaks in TTPs
Most of the traditional Shlayer TTPs remained the same throughout 2020, with only slight variations. For example, midway through the year we observed Shlayer begin to obfuscate portions of its payloads within a single shell script. While executing the beginning of the same script, it would issue
tail commands to separate the bytes of the payload from the script for execution. (This behavior was consistent with the variant identified as ZShlayer by SentinelOne.) In addition, Shlayer moved to using the AWS Cloudfront CDN and S3 data storage buckets for infrastructure, eschewing their own custom-named domains that would occasionally rotate out.
Malicious adware at a glance
While Shlayer has historically been heavily tied to ad fraud, the nature of the malware and mechanisms for persistence provide all the infrastructure to quickly turn Shlayer into a delivery mechanism for more nefarious payloads. Additionally, Shlayer uses masquerading and obfuscation techniques that clearly demonstrate an intention to hide. For these reasons, we classify Shlayer as malware, reflecting that we think it’s more nefarious than software with a demonstrable benefit to an end-user and is therefore worth paying attention to. Researcher Amit Serper summarized this sentiment well: “Adware is just malware with a legal department.”
We weren’t surprised to see Shlayer make it into our top 10 for 2020, as the most common macOS threats we see day to day are related to malicious adware. Other researchers have noted this pattern as well, including Thomas Reed of Malwarebytes.