zip payloads.”Ī command script found in a hidden directory is executed as soon as the malicious file is downloaded on the user’s system. “Although most samples were DMG files, we also discovered. “Many of the initial DMGs are signed with a legitimate Apple developer ID and use legitimate system applications via bash to conduct all installation activity,” Carbon Black wrote in a blog post. Like its predecessor, the malware spreads when a user clicks on a malicious web link, typically posing as an Adobe Flash Player upgrade.įrom here, a payload is leveraged through a DMG file, where privilege escalation and the downloading of additional malware is possible. The malware is the latest evolution of OSX/Shlayer and is said to affect versions of macOS from 10.10.5 to 10.14.3 (Mojave). UPDATED A new variant of malware is infecting Apple operating systems by posing as an Adobe Flash software update, researchers at Carbon Black’s Threat Analysis Unit (TAU) have found. Macs running latest OS are vulnerable to Shlayer 2.0