ZShlayer

ZShlayer is an updated variant of Shlayer, a Trojan downloader that usually installs adware in macOS systems. It may use fake software updates or cracks for distributing itself to users who download it unknowingly, along with heavy obfuscation for avoiding detection. Well-updated anti-malware services compatible with macOS should remove ZShlayer, which malware experts recommend for general-purpose security.

The Ominous Meaning of an Extra Letter on Infamous Adware

Shlayer is a long-known part of the threat landscape for macOS users, with seemingly-minor 'nuisance' functions related to installing programs that display advertisements, and particularly invasive distribution methods. Malware experts can confirm roughly a year's worth of evolution in the family, including exploiting Notarization from Apple (since revoked) as part of its installation and persistence exploits temporarily. ZShlayer is positioning itself as the next leap forward for this non-consensual delivery service for advertising software, whether anyone wants it.

This Week In Malware Episode 23 Part 3: ZShlayer Mac Malware Emerges to Obfuscate Zsh Scripts and Bypass Security Tools

ZShlayer keeps the usual functionality of the old Shlayer, which uses scripts for installing third-party programs that display unwanted advertisements. These advertisements can include, for example, pop-ups and affiliate links in text Web page content. The ZShlayer additions consist of Zsh script obfuscation: additional instructions in a Unix Z-shell format. It also comes with a change in structure from shell script executables to a conventional Apple application bundle. The structural alterations are extreme sufficiently that previous Shlayer threat signatures no longer work against the ZShlayer update, which could let the new version of the Trojan downloader slip past any security software forensics.

Although malware researchers can't discern significant changes to the adware-affiliate focus of ZShlayer's payload, the update has another twist. Shlayer's campaigns often use fake software updates, particularly for Adobe's Flash. Zshlayer uses a very different tact: cracked software bundles, thereby infecting software pirates with a vested interest in expensive, in-demand premium products. At the time of this article's issuing, the only infection vectors for ZShlayer are unofficial and outside of centralized, Apple-endorsed application storefronts.

Stepping Around Well-Laid Advertising Traps

Users with stricter and safety-minded downloading and Web-surfing habits are at much less risk of exposure to both ZShlayers and the original incarnation of the Shlayer Trojan. Avoiding unknown websites, torrents, and other file-sharing sources without any curation will block most of the installation exploits related to this overarching advertising software family. As a more specific warning, malware experts recommend avoiding software updates not endorsed by the product's company website directly, such as advertising network-delivered update prompts.

ZShlayer may circulate in bundles that include the genuine 'cracked' version of premium products. A lack of failure regarding the installation and running of programs or media such as movies isn't an indication of the nonexistence of accompanying threats necessarily. Many attackers prefer delivering Trojans and other threats with functional or seemingly-working downloads that serve double-duty as distractions.

Threat actors related to ZShlayer often use digital certificates, script obfuscation, and other means of identity-concealment. Users can counteract these updates by maintaining updates to threat databases for any cyber-security software appropriately and offering quarantined samples to reputable security researchers. Anti-malware tools compatible with macOS should be provided opportunities for scanning incoming downloads, including software installers, for removing ZShlayer hopefully as soon as possible.

Extra advertisements might not sound like a significant problem, but pop-ups from Zshlayer's preferred Cimpli or Pirrit adware can expose PC users to drive-by-downloads and a range of other tactics and attacks. The price of avoiding paying upfront for a product can, for the unlucky, become another cost that comes out of one's online safety.