Malware Hidden in Ad Images Targets Mac Users

A huge adware campaign that has so far impacted up to a million Mac users, has been using a complex steganography technique to hide malware in images. Adware is defined as any software application advertising banners are displayed while a program is running, and is more common on computers than phones. Adware has been criticized in the past for including code that tracks and records a user’s personal information or browsing habits, this would be classified as spyware.

Researchers at Confiant and Malwarebytes stated the attacks have been ongoing since 11 January 2019. The ads use steganography to spread. steganography is when the code is hidden within safe looking text and images. We have seen steganography being used in the past year, most notably in images on trusted Google sites, and also in memes on Twitter. However, this is the first attack of its kind targeting Mac users.

The victim comes across an image with hidden malicious code within it. If the user clicks on the image, a JavaScript malware will infect the Mac with a Shlayer trojan masquerading as a Flash upgrade.

Jerome Segura, head of Threat Intelligence with Malwarebytes said:

“The malware acts both as a Trojan (disguised as a Flash Player update) and dropper for additional payloads, most notably Adware. As a result, end users may notice their machines running slower than normal and may be tricked into purchasing applications that they do not need.”

The researchers said they have detected 191,970 malicious ads so far, and estimate that one million Mac users may have been affected.

Researchers at Intego first discovered the Shlayer malware in February 2018.

Intego researchers said:

“The initial trojan horse infection (the fake Flash Player installer) component of OSX/Shlayer leverages shell scripts to download additional malware or adware onto the infected system,”

Confiant and Malwarebytes continued:

“As malvertising detection continues to mature, sophisticated attackers are starting to learn that obvious methods of obfuscation are no longer getting the job done,” they said. “The output of common JavaScript obfuscators is a very particular type of gibberish that can easily be recognized by the naked eye. Tactics like this are useful for smuggling payloads without relying on hex encoded strings or bulky lookup tables.”

It looks as though more and more people are falling victim to this type of attack, and installing the Flash file because it doesn’t look like anything nefarious.

Not much is known about the actors behind the attack, or why they chose to target Mac users, but there are some theories. Mac computers have a native level of security higher than that of most Windows systems, this also makes them less attractive to hackers since the security is harder to bypass, and the user base is smaller, so a large scale attack is tricky.

However, this also leads to a false sense of security for Mac users, who often think that their computers are immune to viruses. This may cause them to be more relaxed with their internet habits, thinking they are safe.