Flash-based MacOS malware hides in plain sight

By masquerading as a legitimate Adobe web application, the new malware strains can trick Mac users into bypassing their on-board defences

Security researchers have uncovered two new variants of the MacOS Shlayer and Bundlore malware strains disguised as a Flash media player download, which are spreading through malicious results in Google web searches.

First spotted in the wild by Joshua Long, chief security analyst at Apple security specialist Intego, the trojan fools its victims into bypassing their on-board cyber security protections by walking them through the install process as if it was a legitimate application, in this case an Adobe Flash Player installer.

Long revealed that he had found multiple Google search results while looking for the exact titles of YouTube videos that passed through multiple redirects to a page that claims the user’s Flash Player is out of data, and warns them to download an update.

If the user can be induced to download the deceptive installer, the disk image mounts and displays installation instructions for them to follow. If they do so, they will launch an app that has a Flash icon and looks relatively normal, but is actually a bash shell script that extracts the malicious application from a .zip archive file and launches it before quitting the terminal.

Long said that once launched, the app downloads an Adobe-signed Flash Player installer to appear genuine but can also download the malicious apps at the discretion of whoever controls the command and control (C2) servers.

“The developers’ decision to hide the Mac .app within a password-protected .zip file, and to hide that within a bash shell script, is a novel idea – and it is also extremely clear evidence that the developers are trying to evade detection by antivirus software,” said Long in a disclosure blog. The known malicious search results have now been reported to Google.

In this particular campaign, Long said it was not clear how many sites were offering the malware for download, or how many search results might be compromised. Given the novelty of the threat, it is also unclear how widespread infections might be.

However, he pointed out, a design flaw exists in the installation process, when victims are instructed to “right-click” on the installer, which may accidentally protect newer Mac users who are not familiar with how to right-click using a Mac computer.

Tim Mackey, principal security strategist at the Synopsys CyRC (Cyber security Research Centre), said: “The attack outlined here is essentially a drive-by where the attacker is attempting to pollute legitimate documents, in this case search results for popular topics, with their malware.

“The attacker hopes their victim will follow their prompts and install the malicious software. Once the malicious software is installed, it can typically perform whatever tasks the user who installed it is permitted to do.

Read more about malware

“Preventing this type of attack requires scepticism and an understanding of what is and isn’t installed or enabled on your computer. For example, if you have the Adobe Flash player already installed and a website prompts to update it, then before trusting the website’s claims, it’s best to validate if you have the current version from the author – in this case, Adobe.”

Adam Palmer, chief cyber security strategist at Tenable, added: “Adobe Flash is a notoriously vulnerable piece of software, with numerous weaponised exploit kits developed for it, and commonly viewed as a high security and stability risk. While the malware discovered by Intego disguises itself as Flash Player, organisations should be taking steps to identify and block attempts by corporate users trying to install Flash, legitimate or otherwise.

“If there is a business case for a user to download Flash, this should be done with the knowledge of the IT team, who can scan the files to ensure it’s the real deal and not a malicious imitation.”

Palmer said that even though web-based applications are an old method of spreading malicious software, they are still a highly popular one – he cited a 2019 study that found an average of 33 vulnerabilities in every web app. The risk of exposure was magnified, he said, by employees working remotely beyond their secure network perimeters during the Covid-19 coronavirus pandemic.

More information on Long’s research, including indicators of compromise and demonstration screenshots, can be found on Intego’s website.

Read more on Endpoint security