Intro
While conducting routine threat hunting for macOS malware on Ad networks, I stumbled upon an unusual Shlayer sample. Upon further analysis, it became clear that this variant was different from the known Shlayer variants such as OSX/Shlayer.D, OSX/Shlayer.E, or ZShlayer. We have dubbed it OSX/Shlayer.F.
I then started tracking this OSX/Shlayer.F variant and checked to see if other vendors had encountered or written about it. It turns out that this variant had been reported on in previous blog posts:
I wanted to revisit the OSX/Shlayer.F variant of the Shlayer malware to report on a technique that has not previously been seen in other macOS malware for hiding Command and Control (C2) information. This variant encrypts its configuration using AES within the DMG file header structure, resulting in a modified DMG file. The modification is cleverly crafted and does not cause the DMG file to become corrupted or malfunction. In fact, the macOS operating system is able to mount these modified DMG files and load them as usual.
Modified DMG files have been used by malware in the past, such as in the CIA’s Imperial project, which included a tool called Achilles that allowed operators to trojanize OS X disk image installers (DMG files) with a specified executable for one-time execution. This recent finding of the Shlayer malware hiding its configuration within DMG files brings to mind the potential for mac malware authors to use this technique more aggressively in the future, potentially for hiding essential components of their malware.
Some Shlayer thoughts before we dive in
Shlayer is a very primitive piece of malware, but had different modifications including this variant Trojan-Downloader.OSX.Shlayer.e repo
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: