The malvertising-focused trojan known as Shlayer has burbled to the top of the malware heap when it comes to targeting Mac users. It made up 29 percent of all attacks on macOS devices in Kaspersky’s telemetry for 2019, making it the No. 1 Mac malware threat for the year. To spread, it has been swindling visitors to websites with millions of visitors, especially YouTube and Wikipedia, into clicking on malicious links.
Shlayer is a trojan downloader, which spreads via fake applications that hide its malicious code, according to Kaspersky. Its main purpose is to fetch and install various adware variants. These second-stage samples bombard users with ads, and also intercept browser searches in order to modify the search results to promote yet more ads.
Thus it’s perhaps not surprising that, out of the remaining Top 10 macOS threats detailed by Kaspersky for the year, most of them were adware that Shlayer installs – namely, AdWare.OSX.Bnodlero, AdWare.OSX.Geonei, AdWare.OSX.Pirrit and AdWare.OSX.Cimpli.
Shlayer generally arrives on users’ desktops via a malicious download. Kaspersky noted that the cybercriminals behind the code have set up an elaborate distribution system with a number of channels leading users to download the malware.
“Shlayer spreads via a partner network of thousands of websites, often targeting visitors of legitimate sites, including YouTube and Wikipedia,” Kaspersky explained in an analysis of the code,
released Thursday. “YouTube, where links to the malicious website were included in video descriptions, and Wikipedia, where such links were hidden in the articles’ references.”
