Shlayer is quickly becoming one of the most notorious macOS malware threats, especially after the attack campaign, where it was able to bypass Apple's Notarization checks. To do so, Shlayer used a Mach-O binary to execute a Bash shell script in memory. The hackers behind this threat also have been looking for other avenues that could allow them to bypass static signature checks apparently. The end result is a new Shlayer malware variant that leverages heavily obfuscated Zsh scripts to slip past defenses. Security researchers detected the new variant and named it ZShlayer.
ZShlayer displays significant differences when compared to earlier Shlayer malware threats. Instead of being delivered as shell scripts placed on a .dmg disk image file, ZShlayer is delivered as a normal Apple installation bundle inside a .dmg file. Due to the bundle not being notarized, the researchers determined that it is either intended to compromise Mac systems running version 10.14 and lower or that users will have to be tricked into overriding the notarization check themselves.
ZShlayer connects to a server under the hackers' control at - http://dqb2corklaq0k.cloudfront.net/126.96.36.199, to deliver the final payload. Before that, however, the malware goes through several stages and executes multiple layers of Bash shell scripts. Simultaneously, it also collects various system data such as session UID, machine ID and OS version. All gathered information is exfiltrated to the server.
The existence of ZShlayer and its propagation in the wild shows that threat actors are pursuing different attack vectors against macOS users bringing to the forefront the need for varied defense techniques when deciding on the cybersecurity protection of your computer.
Earlier versions of Shlayer malware were launched as shell script executables on a removable disk image (.DMG) file. The new variation is created using a standard Apple application bundle within a .DMG file instead.
A blog post from the researcher who discovered the virus says that while the ability to bypass Notarization would be enough to put the virus on the map, it is the obfuscated Zsh scripts that make the virus a real threat. These Zsh scripts have made the virus more prolific and dangerous for users.
Researchers say that the virus will eventually install Shlayer malware on to a target computer. The theory is that the security tools don’t notice Shlayer because it doesn’t use the same signatures as the standard Shlayer malware. Zshlayer gets on a system, plays with the security settings, and then safely installs Shlayer.
The good news is that ZShlayer has yet to penetrate the mainstream fully. So far, the only people at risk of infection are people who download illicit software outside of the official Apple Store and the surrounding ecosystem. You should be safe so long as you don’t mess with illicit and third-party applications.
Researchers say that most of the samples of ZShlayer they have come across were bundled into cracked pirated software. The standard security practices of avoiding pirated software apply to this threat.
As far as Shlayer itself is concerned, the original threat was discovered in February 2019. Shlay posed as an Adobe Flash software update but was, in reality, a virus capable of infecting Apple computers through the operating system.
The virus recently came back to the public eye when it was discovered to slip through notarizing checks by Apple. The attack stands out because it is possibly the first time that a piece of malicious code had bypassed the notarization tool and effectively gained a “seal of approval” from Apple. The code successfully tricked Apple notarization into thinking it was legitimate.
Apple quickly responded to reports of misconduct and sought to reassure users by revoking the developer code-signing certificate Shlayer used to bypass notarization. The system now successfully spots Shlayer attacks and prevents them – creating a need for a second layer of attack in ZShlayer.