New Variant of Shlayer Malware on macOS

hkabik
Valued Contributor

https://www.carbonblack.com/2019/02/12/tau-threat-intelligence-notification-new-macos-malware-variant-of-shlayer-osx-discovered/

Just a heads up. I've been researching for some sort of local markers I can use to make an EA to track it/remove it via policy but haven't turned any up yet.

1 ACCEPTED SOLUTION

ThijsX
Valued Contributor
Valued Contributor

You can create an EA based on existing of one of these files.

EA

#!/bin/bash

# Set Directories
directories=("/tmp/*/Player*.app/"
        "/Applications/Mac*Cleanup*Pro*.app/"
        "/Volumes/Player/"
        "/Volumes/FlashPlayer/"
        "/private/tmp/*/Player/"
        "/private/var/folders/*/*/T/AppTranslocation/*/d/Player_*.app"
        "/private/var/folders/*/*/T/AppTranslocation/*/d/FashPlayer_*.app"
        "/private/var/folders/*/*/T/AppTranslocation/*/d/iZipFast_*.app"
        "/private/var/folders/*/*/T/AppTranslocation/*/d/Player_DMG_*.app"
        "/private/var/folders/*/*/T/AppTranslocation/*/d/TimerRush_*.app"
        "/private/var/folders/*/*/T/AppTranslocation/*/d/VidsToGifs_*.app")

# Check Primary Directories for Player Files and remove if found
for directory in ${directories[@]}; do
    if [ -e "$directory" ]; then
        echo -e "OSX Shlayer Infection Detected, Investigate $directory directory"
        else
            echo "Nothing Found"
        fi
done

shlayer-cleanup.sh

#!/bin/bash

# OSX Shlayer Cleanup Script
# gfoss[at]carbonblack[.]com
# Feb 11, 2019

# Run automatically or interactively?
autoremove=false
if  [[ "$1" == "--autoremove" ]]; then
    autoremove=true
fi

# When running interactively, display warning
if [[ $autoremove == "false" ]]; then
    echo ""
    echo "[[ WARNING - THIS SCRIPT WILL DELETE FILES! MAKE SURE THAT YOU ARE OKAY WITH THIS BEFORE PROCEEDING! ]]"
    echo -n "                  Enter 'YES' to continue: "
    read shallWeContinue
    if [ $shallWeContinue != 'YES' ]; then
        echo ""
        exit 1
    fi
else
    echo ""
    echo "[[ WARNING - THIS SCRIPT WILL DELETE FILES! MAKE SURE THAT YOU ARE OKAY WITH THIS BEFORE PROCEEDING! ]]"
    echo "                 Press CRTL+C to abort..."
    sleep 5
fi

# Set Directories
directories=("/tmp/*/Player*.app/"
        "/Applications/Mac*Cleanup*Pro*.app/"
        "/Volumes/Player/"
        "/Volumes/FlashPlayer/"
        "/private/tmp/*/Player/"
        "/private/var/folders/*/*/T/AppTranslocation/*/d/Player_*.app"
        "/private/var/folders/*/*/T/AppTranslocation/*/d/FashPlayer_*.app"
        "/private/var/folders/*/*/T/AppTranslocation/*/d/iZipFast_*.app"
        "/private/var/folders/*/*/T/AppTranslocation/*/d/Player_DMG_*.app"
        "/private/var/folders/*/*/T/AppTranslocation/*/d/TimerRush_*.app"
        "/private/var/folders/*/*/T/AppTranslocation/*/d/VidsToGifs_*.app")

echo ""

# Check Primary Directories for Player Files and remove if found
for directory in ${directories[@]}; do
    if [ -d "$directory" ]; then
        echo -e "OSX Shlayer Infection Detected!"
        echo "     $directory"
        if [[ $autoremove == "false" ]]; then
            echo -n "Would you like to delete the malware directory? Enter (y/n): "
            read cleanupChoice
        else
            cleanupChoice="y"
        fi
        if [ $cleanupChoice == "y" ]; then
            sudo rm -rf "$directory" && echo "Malware Has Been Removed..." || echo "unable to remove this directory, please run this script with sudo or manually delete this directory"
        else
            echo "It is recommended to remove this directory to prevent continued infection!"
        fi
        echo ""
    fi
done
$ ./shlayer-cleanup.sh --autoremove

Runs the script and automatically deletes any detected Shlayer malicious files.

View solution in original post

8 REPLIES 8

ThijsX
Valued Contributor
Valued Contributor

@hkabik Thank you for sharing! we are currently with all our macOS devices on CB Defense, so we can run the custom query within an andvanced search for spotting this one!

(commandLine:f0l and applicationName:curl) OR (targetAppName:curl AND targetCommandLine:f0l)

ThijsX
Valued Contributor
Valued Contributor

You can create an EA based on existing of one of these files.

EA

#!/bin/bash

# Set Directories
directories=("/tmp/*/Player*.app/"
        "/Applications/Mac*Cleanup*Pro*.app/"
        "/Volumes/Player/"
        "/Volumes/FlashPlayer/"
        "/private/tmp/*/Player/"
        "/private/var/folders/*/*/T/AppTranslocation/*/d/Player_*.app"
        "/private/var/folders/*/*/T/AppTranslocation/*/d/FashPlayer_*.app"
        "/private/var/folders/*/*/T/AppTranslocation/*/d/iZipFast_*.app"
        "/private/var/folders/*/*/T/AppTranslocation/*/d/Player_DMG_*.app"
        "/private/var/folders/*/*/T/AppTranslocation/*/d/TimerRush_*.app"
        "/private/var/folders/*/*/T/AppTranslocation/*/d/VidsToGifs_*.app")

# Check Primary Directories for Player Files and remove if found
for directory in ${directories[@]}; do
    if [ -e "$directory" ]; then
        echo -e "OSX Shlayer Infection Detected, Investigate $directory directory"
        else
            echo "Nothing Found"
        fi
done

shlayer-cleanup.sh

#!/bin/bash

# OSX Shlayer Cleanup Script
# gfoss[at]carbonblack[.]com
# Feb 11, 2019

# Run automatically or interactively?
autoremove=false
if  [[ "$1" == "--autoremove" ]]; then
    autoremove=true
fi

# When running interactively, display warning
if [[ $autoremove == "false" ]]; then
    echo ""
    echo "[[ WARNING - THIS SCRIPT WILL DELETE FILES! MAKE SURE THAT YOU ARE OKAY WITH THIS BEFORE PROCEEDING! ]]"
    echo -n "                  Enter 'YES' to continue: "
    read shallWeContinue
    if [ $shallWeContinue != 'YES' ]; then
        echo ""
        exit 1
    fi
else
    echo ""
    echo "[[ WARNING - THIS SCRIPT WILL DELETE FILES! MAKE SURE THAT YOU ARE OKAY WITH THIS BEFORE PROCEEDING! ]]"
    echo "                 Press CRTL+C to abort..."
    sleep 5
fi

# Set Directories
directories=("/tmp/*/Player*.app/"
        "/Applications/Mac*Cleanup*Pro*.app/"
        "/Volumes/Player/"
        "/Volumes/FlashPlayer/"
        "/private/tmp/*/Player/"
        "/private/var/folders/*/*/T/AppTranslocation/*/d/Player_*.app"
        "/private/var/folders/*/*/T/AppTranslocation/*/d/FashPlayer_*.app"
        "/private/var/folders/*/*/T/AppTranslocation/*/d/iZipFast_*.app"
        "/private/var/folders/*/*/T/AppTranslocation/*/d/Player_DMG_*.app"
        "/private/var/folders/*/*/T/AppTranslocation/*/d/TimerRush_*.app"
        "/private/var/folders/*/*/T/AppTranslocation/*/d/VidsToGifs_*.app")

echo ""

# Check Primary Directories for Player Files and remove if found
for directory in ${directories[@]}; do
    if [ -d "$directory" ]; then
        echo -e "OSX Shlayer Infection Detected!"
        echo "     $directory"
        if [[ $autoremove == "false" ]]; then
            echo -n "Would you like to delete the malware directory? Enter (y/n): "
            read cleanupChoice
        else
            cleanupChoice="y"
        fi
        if [ $cleanupChoice == "y" ]; then
            sudo rm -rf "$directory" && echo "Malware Has Been Removed..." || echo "unable to remove this directory, please run this script with sudo or manually delete this directory"
        else
            echo "It is recommended to remove this directory to prevent continued infection!"
        fi
        echo ""
    fi
done
$ ./shlayer-cleanup.sh --autoremove

Runs the script and automatically deletes any detected Shlayer malicious files.

hkabik
Valued Contributor

BEAUTIFUL! Thanks!

dmueller
Contributor

Hi @txhaflaire ,

I hope you don't mind, but I tweaked your EA a little to be able to catch the infected systems with a smart group.

#!/bin/bash

# Set Directories
directories=("/tmp/*/Player*.app/"
        "/Applications/Mac*Cleanup*Pro*.app/"
        "/Volumes/Player/"
        "/Volumes/FlashPlayer/"
        "/private/tmp/*/Player/"
        "/private/var/folders/*/*/T/AppTranslocation/*/d/Player_*.app"
        "/private/var/folders/*/*/T/AppTranslocation/*/d/FashPlayer_*.app"
        "/private/var/folders/*/*/T/AppTranslocation/*/d/iZipFast_*.app"
        "/private/var/folders/*/*/T/AppTranslocation/*/d/Player_DMG_*.app"
        "/private/var/folders/*/*/T/AppTranslocation/*/d/TimerRush_*.app"
        "/private/var/folders/*/*/T/AppTranslocation/*/d/VidsToGifs_*.app")

# Check Primary Directories for Player Files
shlayerFound=('')
for directory in ${directories[@]}; do
    if [ -e "$directory" ]; then
        shlayerFound+="OSX Shlayer Infection Detected, Investigate $directory directory
"
    fi
done

if [[ ! $shlayerFound == '' ]]; then
    echo -e "<result>${shlayerFound[@]}</result>"
else
    echo "<result>Not Found</result>"
fi

I figured I would share the tweaks in case someone else might find it helpful.

Kind regards,
-Dennis

ThijsX
Valued Contributor
Valued Contributor

Nice, also thought about modifing in that way but run out of time looks good!

m_donovan
Contributor III

Thanks everyone. The EA works great.

chrisdaggett
Contributor II

Updated the removal script as "rm -rf" doesn't work on /Volumes/. I also took out the checks as I have this all run automatically whenever it is found.

#!/bin/bash

# OSX Shlayer Cleanup Script

# Set Directories
directories=("/tmp/*/Player*.app/"
        "/Applications/Mac*Cleanup*Pro*.app/"
        "/private/tmp/*/Player/"
        "/private/var/folders/*/*/T/AppTranslocation/*/d/Player_*.app"
        "/private/var/folders/*/*/T/AppTranslocation/*/d/FashPlayer_*.app"
        "/private/var/folders/*/*/T/AppTranslocation/*/d/iZipFast_*.app"
        "/private/var/folders/*/*/T/AppTranslocation/*/d/Player_DMG_*.app"
        "/private/var/folders/*/*/T/AppTranslocation/*/d/TimerRush_*.app"
        "/private/var/folders/*/*/T/AppTranslocation/*/d/VidsToGifs_*.app")

# Check Primary Directories for Player Files and remove if found
for directory in ${directories[@]}; do
    if [ -d "$directory" ]; then
        echo "     $directory"
        sudo rm -rf "$directory"
        else
        echo "It is recommended to remove this directory to prevent continued infection!"
    fi
done

# Set Volumes
volumes=("/Volumes/Player/"
        "/Volumes/FlashPlayer/")

# Check Primary Volumes for Player Files and eject if found
for volume in ${volumes[@]}; do
    if [ -d "$volume" ]; then
        echo "     $volume"
        Diskutil unmountDisk force "$volume"
        else
        echo "It is recommended to remove this Volume to prevent continued infection!"
    fi     
done
exit 0

CreativeB
New Contributor III

Hi,

I just found several daemons, agents and profiles comming with Shlayer hidden in an adware. The user installed

PDF Viewer Pro lite.app
in his homedirectory. Also there were a lot of hidden folders within
/Library/Application Support
with cryptic names like
./.23450892347509237592130123
similar to those daemons and .plist files we found.

This kinda nasty software war hard to remove, through it startet copying itself over, starting processes again and so on. I'll recommend to add

PDF Viewer Pro.app
and
PDF Viewer Pro Lite.app
to your searches as well.

The mac also had

Mac Cleanup Pro.
installed, which could only be killed in the single user mode in my case.

This article helped me as well: https://www.pcrisk.com/removal-guides/14355-shlayer-trojan-mac