Researchers have recently discovered a new macOS malware variant dubbed ZShlayer which can mask itself to sneak past security tools and compromise target machines. ZShlayer, which is a variant of Shlayer, does not conform to the original Shlayer signatures and can go unnoticed by some malware scanners. Earlier versions of the Shlayer malware were presented as a shell script executable on a removable .DMG disk image. This new version is delivered as part of a standard Apple application bundle inside the .DMG.
Phil Stokes, a threat researcher at SentinelOne, who’s research discovered the strain, stated in a blog post:“Although bypassing Apple’s Notarization checks is obviously a headline grabber, this new variant of Shlayer utilizes heavily obfuscated Zsh scripts and is in fact far more prolific in the wild.”
Stokes had discovered the ZShlayer while hunting for threats on VirusTotal. Stokes also told the websiteThe Daily Swig: “Implications are that users’ security tools may not recognize the initial infected application bundle as malware as it doesn’t conform to Shlayer signatures.”
It is also apparent that ZShlayer infections are currently isolated to users who have downloaded tainted software outside the Apple Ecosystem. Stokes also adds: “Most ZShlayer droppers that I saw are in trojanized cracked software, so the usual caveat applies about avoiding downloading pirated versions of products.”
Shlayer malware posed as an Adobe Flash software update and was first discovered in February 2019. It resurfaced after it was found to have the ability to slip past Apple’s notarizing checks. The campaign was initially spotted by a Twitter user named Peter Dantini, who passed his findings on to Mac security expert Patrick Wardle.
This attack represents the first time any malicious code has gained Apple’s notarization “stamp of approval.”Apple promptly revoked the developer code-signing certificate abused in the Shlayer campaign.
If you are still having trouble, consider contacting remote technical support options.