Up to a million Mac users have been affected by a massive adware campaign using a tricky steganography technique to hide malware in image files. Confiant and Malwarebyte researchers said the attacks have been on since January. 11, the use of web ads and steganography to spread; steganography is the practice of concealing secret messages, codes or information in text or images that are otherwise innocuous. The tactic has been used over the past year in several campaigns, including uploaded images on trusted Google sites and even on Twitter memes. In the Mac campaign, a victim first discovers an ad containing an image–but in reality JavaScript malware hides in the ad in the image file code. Once clicked, the malicious ad infects the Mac user with the Trojan Shlayer, which masquerades as a Flash upgrade and turns the victim into an adware installer. “Malware acts both as a Trojan (disguised as a Flash Player update) and an additional payload dropper, most notably Adware, “said Jerome Segura, head of Malwarebytes Threat Intelligence, to Threatpost. ” End users can therefore notice that their machines are running slower than normal and can be tricked into purchasing applications that they do not need. “Researchers said they have detected 191,970 bad ads so far and estimate that about 1 million users have been affected. Reliable cost impact benchmarks for Jan alone have been ad fraud worth more than $1.2 million. “The perpetrators have been active for months, but only recently, through the use of image coding, they have begun to smuggle in malware through steganography, “researchers said in a Wednesday post detailing the campaign.
Shlayer malware
In February 2018, Intego researchers first discovered Shlayer malware, spreading through BitTorrent file sharing sites. Torrent sites are well known for malware and adware distribution. “The initial trojan horse infection (the fake Flash Player installer) component of OSX / Shlayer uses shell scripts to download additional malware or adware to the infected system, “said Intego researchers in a detailed malware analysis. Since the Trojan masquerades are a flash upgrade, victims are unaware of their malicious intent, said confident researchers. Infected “users are redirected to the installer via forced redirects aimed specifically at Safari users on the desktop, “said researchers. Eliya Stein, Confiant ‘s senior security engineer, told Threatpost that the campaign is still ongoing, but the bad actor rotates his payload and domains regularly. Malvertising Evolution Little is known about the attack operator, Stein said, except that researchers dubbed the bad actor “VeryMal “based on one of his serving domains (veryield-malyst[.]com). The Confiant and Malwarebytes research team said that this latest malware campaign shows how the tactics continue to evolve as bad actors look at spreading malware on a large scale while remaining hidden from obfuscation. “As malware detection continues to mature, sophisticated attackers are beginning to learn that obvious obstruction methods no longer do the job, “they said.” The output of common JavaScript fillers is a very specific gibberish type that can be easily recognized by the naked eye. Such tactics are useful for smuggling payloads without using hex-coded strings or bulky search tables.”