Shlayer Trojan

The Shlayer Trojan is a Trojan downloader for macOS environments. The Shlayer Trojan downloads and installs other threats on your system automatically and focuses on propagating unwanted advertising software frequently. Mac users should let their anti-malware services remove the Shlayer Trojan in all cases appropriately and avoid sources of unofficial updates that might distribute it.

Programs Slaying Your Browsing Experience – with a Bit of a Lisp

Since 2018, the Shlayer Trojan is becoming as well known as its Windows counterparts like Purple Fox or WhiteShadow, all of which play the roles of go-betweens in black hat software businesses. While the Shlayer Trojan conducts conventional attacks that drop unwanted software onto the victim's machine, it targets a sometimes-underserved demographic: Mac users. Its statistics speak to its success in this regard, as malware experts estimate roughly one out of every three Mac infections tracing back to this Trojan downloader.

The Shlayer Trojan uses fake Adobe Flash updates for installing itself, through both corrupted sites and legitimate ones like Youtube, via falsified video description links, and similar schemes. Despite its age and current relevance in 2020, the Shlayer Trojan's history contains few updates or significant revisions to its behavior or code. However, some versions of the Shlayer Trojan are adding an extra trick into their installation routines – overlapping Mac warning messages with permission-based pop-ups so that victims never see the security alert.

Besides its clever installation illusion, the Shlayer Trojan has what malware researchers rate as a conventionally for-profit business model and a 'for-hire' payload that third parties modify to their preferences. The Shlayer Trojan can download and install other software arbitrarily but has the closest associations with well-known adware families, such as Bundlore, Cimpli, Geonei, Pirit, and others. While the Shlayer Trojan's authors receive payments for renting out the Trojan's installation features, the renting parties gain revenue through the advertising traffic that the user provides unwillingly.

Dodging Advertisements Turned into Lethal Cyber-Weaponry

The Shlayer Trojan's implications for security are as drastic as those of any other Trojan downloader, like the Upatre and AppleJeus families. While its goals are more capitalistic than espionage-based, it remains capable of placing other software on the computer arbitrarily and invisibly. The fact that some builds incorporate installation tactics that are specific to the architecture of macOS also demonstrates the admin's investment in long-term maintenance.

Fake Flash updates are a significant infection vector for both business (and government) network environments, as well as the PCs of home users. While browsing, Web surfers always should maintain up-to-date versions of Flash through Adobe-approved links and reject any download or installation prompts coming from non-official sources, such as advertising networks. Users also should double-check Web addresses when doing so, which can contain typos or inappropriate domains that are symptomatic of typo-squatting scams.

Some versions of this Trojan are using signed digital certificates, which can impact detection rates negatively. Update any relevant anti-malware services before using them for deleting the Shlayer Trojan and its related adware.

The Shlayer Trojan is a well-thought-out way of doing business through macOS software. That it does so outside the bounds of the law might be a problem for the victims hosting it, but not so much the Black Hat programmers.