+16https://www.carbonblack.com/2019/02/12/tau-threat-intelligence-notification-new-macos-malware-variant-of-shlayer-osx-discovered/
Just a heads up. I've been researching for some sort of local markers I can use to make an EA to track it/remove it via policy but haven't turned any up yet.
Best answer by ThijsX
You can create an EA based on existing of one of these files.
EA
#!/bin/bash
# Set Directories
directories=("/tmp/*/Player*.app/"
"/Applications/Mac*Cleanup*Pro*.app/"
"/Volumes/Player/"
"/Volumes/FlashPlayer/"
"/private/tmp/*/Player/"
"/private/var/folders/*/*/T/AppTranslocation/*/d/Player_*.app"
"/private/var/folders/*/*/T/AppTranslocation/*/d/FashPlayer_*.app"
"/private/var/folders/*/*/T/AppTranslocation/*/d/iZipFast_*.app"
"/private/var/folders/*/*/T/AppTranslocation/*/d/Player_DMG_*.app"
"/private/var/folders/*/*/T/AppTranslocation/*/d/TimerRush_*.app"
"/private/var/folders/*/*/T/AppTranslocation/*/d/VidsToGifs_*.app")
# Check Primary Directories for Player Files and remove if found
for directory in ${directories[@]}; do
if [ -e "$directory" ]; then
echo -e "OSX Shlayer Infection Detected, Investigate $directory directory"
else
echo "Nothing Found"
fi
doneshlayer-cleanup.sh
#!/bin/bash
# OSX Shlayer Cleanup Script
# gfoss[at]carbonblack[.]com
# Feb 11, 2019
# Run automatically or interactively?
autoremove=false
if [[ "$1" == "--autoremove" ]]; then
autoremove=true
fi
# When running interactively, display warning
if [[ $autoremove == "false" ]]; then
echo ""
echo "[[ WARNING - THIS SCRIPT WILL DELETE FILES! MAKE SURE THAT YOU ARE OKAY WITH THIS BEFORE PROCEEDING! ]]"
echo -n " Enter 'YES' to continue: "
read shallWeContinue
if [ $shallWeContinue != 'YES' ]; then
echo ""
exit 1
fi
else
echo ""
echo "[[ WARNING - THIS SCRIPT WILL DELETE FILES! MAKE SURE THAT YOU ARE OKAY WITH THIS BEFORE PROCEEDING! ]]"
echo " Press CRTL+C to abort..."
sleep 5
fi
# Set Directories
directories=("/tmp/*/Player*.app/"
"/Applications/Mac*Cleanup*Pro*.app/"
"/Volumes/Player/"
"/Volumes/FlashPlayer/"
"/private/tmp/*/Player/"
"/private/var/folders/*/*/T/AppTranslocation/*/d/Player_*.app"
"/private/var/folders/*/*/T/AppTranslocation/*/d/FashPlayer_*.app"
"/private/var/folders/*/*/T/AppTranslocation/*/d/iZipFast_*.app"
"/private/var/folders/*/*/T/AppTranslocation/*/d/Player_DMG_*.app"
"/private/var/folders/*/*/T/AppTranslocation/*/d/TimerRush_*.app"
"/private/var/folders/*/*/T/AppTranslocation/*/d/VidsToGifs_*.app")
echo ""
# Check Primary Directories for Player Files and remove if found
for directory in ${directories[@]}; do
if [ -d "$directory" ]; then
echo -e "OSX Shlayer Infection Detected!"
echo " $directory"
if [[ $autoremove == "false" ]]; then
echo -n "Would you like to delete the malware directory? Enter (y/n): "
read cleanupChoice
else
cleanupChoice="y"
fi
if [ $cleanupChoice == "y" ]; then
sudo rm -rf "$directory" && echo "Malware Has Been Removed..." || echo "unable to remove this directory, please run this script with sudo or manually delete this directory"
else
echo "It is recommended to remove this directory to prevent continued infection!"
fi
echo ""
fi
done$ ./shlayer-cleanup.sh --autoremove
Runs the script and automatically deletes any detected Shlayer malicious files.
+20@hkabik Thank you for sharing! we are currently with all our macOS devices on CB Defense, so we can run the custom query within an andvanced search for spotting this one!
(commandLine:f0l and applicationName:curl) OR (targetAppName:curl AND targetCommandLine:f0l)You can create an EA based on existing of one of these files.
EA
#!/bin/bash
# Set Directories
directories=("/tmp/*/Player*.app/"
"/Applications/Mac*Cleanup*Pro*.app/"
"/Volumes/Player/"
"/Volumes/FlashPlayer/"
"/private/tmp/*/Player/"
"/private/var/folders/*/*/T/AppTranslocation/*/d/Player_*.app"
"/private/var/folders/*/*/T/AppTranslocation/*/d/FashPlayer_*.app"
"/private/var/folders/*/*/T/AppTranslocation/*/d/iZipFast_*.app"
"/private/var/folders/*/*/T/AppTranslocation/*/d/Player_DMG_*.app"
"/private/var/folders/*/*/T/AppTranslocation/*/d/TimerRush_*.app"
"/private/var/folders/*/*/T/AppTranslocation/*/d/VidsToGifs_*.app")
# Check Primary Directories for Player Files and remove if found
for directory in ${directories[@]}; do
if [ -e "$directory" ]; then
echo -e "OSX Shlayer Infection Detected, Investigate $directory directory"
else
echo "Nothing Found"
fi
doneshlayer-cleanup.sh
#!/bin/bash
# OSX Shlayer Cleanup Script
# gfoss[at]carbonblack[.]com
# Feb 11, 2019
# Run automatically or interactively?
autoremove=false
if [[ "$1" == "--autoremove" ]]; then
autoremove=true
fi
# When running interactively, display warning
if [[ $autoremove == "false" ]]; then
echo ""
echo "[[ WARNING - THIS SCRIPT WILL DELETE FILES! MAKE SURE THAT YOU ARE OKAY WITH THIS BEFORE PROCEEDING! ]]"
echo -n " Enter 'YES' to continue: "
read shallWeContinue
if [ $shallWeContinue != 'YES' ]; then
echo ""
exit 1
fi
else
echo ""
echo "[[ WARNING - THIS SCRIPT WILL DELETE FILES! MAKE SURE THAT YOU ARE OKAY WITH THIS BEFORE PROCEEDING! ]]"
echo " Press CRTL+C to abort..."
sleep 5
fi
# Set Directories
directories=("/tmp/*/Player*.app/"
"/Applications/Mac*Cleanup*Pro*.app/"
"/Volumes/Player/"
"/Volumes/FlashPlayer/"
"/private/tmp/*/Player/"
"/private/var/folders/*/*/T/AppTranslocation/*/d/Player_*.app"
"/private/var/folders/*/*/T/AppTranslocation/*/d/FashPlayer_*.app"
"/private/var/folders/*/*/T/AppTranslocation/*/d/iZipFast_*.app"
"/private/var/folders/*/*/T/AppTranslocation/*/d/Player_DMG_*.app"
"/private/var/folders/*/*/T/AppTranslocation/*/d/TimerRush_*.app"
"/private/var/folders/*/*/T/AppTranslocation/*/d/VidsToGifs_*.app")
echo ""
# Check Primary Directories for Player Files and remove if found
for directory in ${directories[@]}; do
if [ -d "$directory" ]; then
echo -e "OSX Shlayer Infection Detected!"
echo " $directory"
if [[ $autoremove == "false" ]]; then
echo -n "Would you like to delete the malware directory? Enter (y/n): "
read cleanupChoice
else
cleanupChoice="y"
fi
if [ $cleanupChoice == "y" ]; then
sudo rm -rf "$directory" && echo "Malware Has Been Removed..." || echo "unable to remove this directory, please run this script with sudo or manually delete this directory"
else
echo "It is recommended to remove this directory to prevent continued infection!"
fi
echo ""
fi
done$ ./shlayer-cleanup.sh --autoremove
Runs the script and automatically deletes any detected Shlayer malicious files.
+10Hi @txhaflaire ,
I hope you don't mind, but I tweaked your EA a little to be able to catch the infected systems with a smart group.
#!/bin/bash
# Set Directories
directories=("/tmp/*/Player*.app/"
"/Applications/Mac*Cleanup*Pro*.app/"
"/Volumes/Player/"
"/Volumes/FlashPlayer/"
"/private/tmp/*/Player/"
"/private/var/folders/*/*/T/AppTranslocation/*/d/Player_*.app"
"/private/var/folders/*/*/T/AppTranslocation/*/d/FashPlayer_*.app"
"/private/var/folders/*/*/T/AppTranslocation/*/d/iZipFast_*.app"
"/private/var/folders/*/*/T/AppTranslocation/*/d/Player_DMG_*.app"
"/private/var/folders/*/*/T/AppTranslocation/*/d/TimerRush_*.app"
"/private/var/folders/*/*/T/AppTranslocation/*/d/VidsToGifs_*.app")
# Check Primary Directories for Player Files
shlayerFound=('')
for directory in ${directories[@]}; do
if [ -e "$directory" ]; then
shlayerFound+="OSX Shlayer Infection Detected, Investigate $directory directory
"
fi
done
if [[ ! $shlayerFound == '' ]]; then
echo -e "<result>${shlayerFound[@]}</result>"
else
echo "<result>Not Found</result>"
fiI figured I would share the tweaks in case someone else might find it helpful.
Kind regards,
-Dennis
+20Nice, also thought about modifing in that way but run out of time looks good!
+7Updated the removal script as "rm -rf" doesn't work on /Volumes/. I also took out the checks as I have this all run automatically whenever it is found.
#!/bin/bash
# OSX Shlayer Cleanup Script
# Set Directories
directories=("/tmp/*/Player*.app/"
"/Applications/Mac*Cleanup*Pro*.app/"
"/private/tmp/*/Player/"
"/private/var/folders/*/*/T/AppTranslocation/*/d/Player_*.app"
"/private/var/folders/*/*/T/AppTranslocation/*/d/FashPlayer_*.app"
"/private/var/folders/*/*/T/AppTranslocation/*/d/iZipFast_*.app"
"/private/var/folders/*/*/T/AppTranslocation/*/d/Player_DMG_*.app"
"/private/var/folders/*/*/T/AppTranslocation/*/d/TimerRush_*.app"
"/private/var/folders/*/*/T/AppTranslocation/*/d/VidsToGifs_*.app")
# Check Primary Directories for Player Files and remove if found
for directory in ${directories[@]}; do
if [ -d "$directory" ]; then
echo " $directory"
sudo rm -rf "$directory"
else
echo "It is recommended to remove this directory to prevent continued infection!"
fi
done
# Set Volumes
volumes=("/Volumes/Player/"
"/Volumes/FlashPlayer/")
# Check Primary Volumes for Player Files and eject if found
for volume in ${volumes[@]}; do
if [ -d "$volume" ]; then
echo " $volume"
Diskutil unmountDisk force "$volume"
else
echo "It is recommended to remove this Volume to prevent continued infection!"
fi
done
exit 0Hi,
I just found several daemons, agents and profiles comming with Shlayer hidden in an adware. The user installed
PDF Viewer Pro lite.appin his homedirectory. Also there were a lot of hidden folders within
/Library/Application Supportwith cryptic names like
./.23450892347509237592130123similar to those daemons and .plist files we found.
This kinda nasty software war hard to remove, through it startet copying itself over, starting processes again and so on. I'll recommend to add
PDF Viewer Pro.appand
PDF Viewer Pro Lite.appto your searches as well.
The mac also had
Mac Cleanup Pro.installed, which could only be killed in the single user mode in my case.
This article helped me as well: https://www.pcrisk.com/removal-guides/14355-shlayer-trojan-mac
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.