Request a Demo
Rewterz
Rewterz Threat Advisory – Slack Patches Critical Desktop Vulnerability
September 2, 2020
Rewterz
Rewterz Threat Alert – ProLock Ransomware Exfiltrates Data and Encrypts Files
September 2, 2020

Rewterz Threat Alert – Apple Accidentally Notarizes Shlayer Malware Used in Adware Campaign

Severity

High

Analysis Summary

Apple accidentally notarizes Shlayer malware as part of its security notarization process. The notarized malware payloads were discovered in a recent MacOS adware campaign, disguised as Adobe Flash Player updates. The Apple notary service is an automated system on recent macOS versions that scans software (ranging from macOS apps, kernel extensions, disk images and installer packages) for malicious content and checks for code-signing issues. Then, when a macOS user installs the software, Apple’s Gatekeeper security feature notifies them about whether any malicious code was detected before they open it. A website (homebrew[.]sh) was actively hosting an adware campaign. The website is likely spoofing the legitimate Homebrew site (hosted at brew.sh), a free and open-source software package management system that simplifies the installation of software on macOS. When users visited the website, it redirected several times before telling them that their Adobe Flash Player is out of date and recommending an update (via at least three separate pop ups in the browser). 

installMe.png

While the campaign seems like a fairly run-of-the-mill adware attack, what’s different is that Apple’s notarization requirements do not trigger a warning notification telling the user that the developer cannot be verified, and that it is unknown whether the app is free from malware.

blockedAgain.png

The notarized payloads appear to be OSX.Shlayer malware. Shlayer is a top common threat for Macs.
As noted, Apple quickly revoked the Developer code-signing certificate(s) that were used to sign the malicious payloads. This occurred on Friday, Aug. 28th.

Interestingly, as of Sunday (Aug 30th) the adware campaign was still live and serving up new payloads. Unfortunately these new payloads are (still) notarized. So Mac users are still not safe from the Shlayer Trojan. 

Impact

  • Security Bypass
  • Detection Evasion
  • Unauthorized Access

Indicators of Compromise

Domain Name

  • homebrew[.]sh

MD5

  • 04e7bae95f86118fd5e347ee43537b06

SHA-256

  • 1afcea3625c2725a95e87df1d660130a374c29e98624cb9b51b415c9f5c9e305

SHA1

  • 7f79800951160875b94df94bb834c30ad11a9021

Remediation

  • Block the threat indicators at their respective controls.
  • Only download software from verified official sites.