Shlayer

Shlayer is a Trojan downloader that primarily targets macOS systems, known for distributing various types of adware, including Bundlore. It is distributed through fake Flash Player updates and deceptive websites, tricking users into installing unwanted software. Once executed, Shlayer connects to command-and-control servers to download additional payloads.

Symptoms

You might observe the following artifacts associated with this threat:

• Pop-up advertisements appearing unexpectedly.
• Unexpected redirects to suspicious websites.
• Installation of adware, including Bundlore, without user consent.
• Decreased system performance due to adware activity.

Technical Breakdown

Shlayer is distributed through deceptive means such as:

• Fake Software Updates: Most commonly posing as Adobe Flash Player updates, tricking users into installation.
• Deceptive Websites: Promoted via malvertising campaigns that direct users to malicious sites.

Shlayer performs the following actions:

• Payload Delivery: Connects to a command-and-control (C2) server to download additional malicious payloads, including adware.
• Persistence Mechanism: May install launch agents or login items to ensure it runs at startup.
• Traffic Redirection: Alters browser settings to redirect search traffic for ad revenue generation.

Next Steps

Kandji Endpoint Detection & Response (EDR) automatically removes detected threats when file monitoring is set to Protect.

While the malicious file is removed, it can leave behind artifacts that need to be cleaned manually.

In the future, avoid downloading and installing software from torrent sources or untrusted websites. Ensure that all applications are obtained from official and reputable sources to maintain system integrity and security.