Shlayer, a malware Trojan family, was last year identified at least once on every 10th device using Kaspersky Solutions for Mac, making this threat the most widespread yet for macOS users. A smart malware distribution system, it spreads via a partner network, entertainment websites and even Wikipedia, demonstrating that even users that only visit legal sites still need additional protection online.
Despite macOS traditionally considered to be a much safer and secure system, there are still cybercriminals trying their luck to profit from macOS users’. Based on Kaspersky statistics, Shlayer – the most widespread macOS threat in 2019 – is a good example of that. It specialises in installation of adware – programs that terrorise users by feeding illicit ads, intercepting and gathering users’ browser queries, and modifying search results to distribute even more advertising messages.
Shlayer’s share among all attacks on macOS devices registered by Kaspersky products in January – November 2019 amounted to almost a third (29.28%), with nearly all other top 10 macOS threats being the adware that Shlayer installs: AdWare.OSX.Bnodlero, AdWare.OSX.Geonei, AdWare.OSX.Pirrit and AdWare.OSX.Cimpli. Furthermore, ever since Shlayer was first detected, its infection algorithm has hardly changed, even though its activity barely decreased, making it an especially relevant threat that users need protection from.
The infection process often consists of two phases – first the user installs Shlayer, then the malware installs a selected type of adware. Device infection however, starts with an unwitting user downloading the malicious program. In order to achieve installations, the threat actor behind Shlayer set up a malware distribution system with a number of channels leading users to download the malware.
Shlayer is offered as a way to monetise websites in a number of file partner programs, with relatively high payment for each malware installation made by American users, prompting over 1,000 ‘partner sites’ to distribute Shlayer. This scheme works as follows: a user looks for a TV series episode or a football match, and advertising landing pages redirect them to fake Flash Player update pages. From here the victim would download the malware. For each such installation, the partner who distributed links to the malware receives a pay-per-install payment.
Other schemes lead to a fake Adobe Flash update page redirecting users from various large online services with multi-million audiences, including YouTube, where links to the malicious website were included in video descriptions, and Wikipedia, where such links were hidden in the articles’ references. Users that clicked on these links would also get redirected to the Shlayer download landing pages. Kaspersky researchers found 700 domains with malicious content, links to which were placed on a variety of legitimate websites.
Almost all of the websites which lead to a fake Flash Player contained content in English. This corresponds with the top countries where users have been affected by the threat – the USA (31%), Germany (14%), France (10%) and the UK (10%).
“The macOS platform is a good source of revenue for cybercriminals, who are constantly looking for new ways to deceive users, and actively use social engineering techniques to spread their malware. This case demonstrates that such threats can be found even on legitimate sites. Luckily for macOS users, the most widespread threats that target macOS currently revolve around feeding illicit advertising rather than something more dangerous, such as stealing financial data. A good web security solution can protect users from threats such as these, making the experience of searching the web safe and pleasant” – says Anton Ivanov, Kaspersky security analyst.
Kaspersky solutions detect Shlayer and its artefacts with the following verdicts:
Pages, artefacts and links for this Trojan family, as well as additional details of the findings, can be found on Securelist.com.
To reduce the risk of infection with Trojans such as Shlayer, Kaspersky recommends:
- Installing programs and updates only from trusted sources
- Finding out more information about the entertainment website you are planning to visit: scan its reputation on the internet and try to find feedback on it
- Using a reliable security solution like Kaspersky Security Cloud that delivers advanced protection on Mac, as well as on PC and mobile devices
SA’s Internet goes down again
South Africa is about to experience a small repeat of the lower speeds and loss of Internet connectivity suffered in January, thanks to a new undersea cable break, writes BRYAN TURNER
Internet service provider Afrihost has notified customers that there are major outages across all South African Internet Service Providers (ISPs), as a result of a break in the WACS undersea cable between Portugal and England
The cause of the cable break along the cable is unclear. it marks the second major breakage event along the West African Internet sea cables this year, and comes at the worst possible time: as South Africans grow heavily dependent on their Internet connections during the COVID-19 lockdown.
As a result of the break, the use of international websites and services, which include VPNs (virtual private networks), may result in latency – decreased speeds and response times.
WACS runs from Yzerfontein in the Western Cape, up the West Coast of Africa, and terminates in the United Kingdom. It makes a stop in Portugal before it reaches the UK, and the breakage is reportedly somewhere between these two countries.
The cable is owned in portions by several companies, and the portion where the breakage has occurred belongs to Tata Communications.
The alternate routes are:
- SAT3, which runs from Melkbosstrand also in the Western Cape, up the West Coast and terminates in Portugal and Spain. This cable runs nearly parallel to WACS and has less Internet capacity than WACS.
- ACE (Africa Coast to Europe), which also runs up the West Coast.
- The SEACOM cable runs from South Africa, up the East Coast of Africa, terminating in both London and Dubai.
- The EASSy cable also runs from South Africa, up the East Coast, terminating in Sudan, from where it connects to other cables.
The routes most ISPs in South Africa use are WACS and SAT3, due to cost reasons.
The impact will not be as severe as in January, though. All international traffic is being redirected via alternative cable routes. This may be a viable method for connecting users to the Internet but might not be suitable for latency-sensitive applications like International video conferencing.
SA cellphones to be tracked to fight coronavirus
Several countries are tracking cellphones to understand who may have been exposed to coronavirus-infected people. South Africa is about to follow suit, writes BRYAN TURNER
From Israel to South Korea, governments and cell networks have been implementing measures to trace the cellphones of coronavirus-infected citizens, and who they’ve been around. The mechanisms countries have used have varied.
In Iran, citizens were encouraged to download an app that claimed to diagnose COVID-19 with a series of yes or no questions. The app also tracked real-time location with a very high level of accuracy, provided by the GPS sensor.
In Germany, all cellphones on Deutsche Telekom are being tracked through cell tower connections, providing a much coarser location, but a less invasive method of tracking. The data is being handled by the Robert Koch Institute, the German version of the US Centers for Disease Control and Prevention.
In Taiwan, those quarantined at home are tracked via an “electronic fence”, which determines if users leave their homes.
In South Africa, preparations have started to track cellphones based on cell tower connections. The choice of this method is understandable, as many South Africans may either feel an app is too intrusive to have installed, or may not have the data to install the app. This method also allows more cellphones, including basic feature phones, to be tracked.
This means that users can be tracked on a fairly anonymised basis, because these locations can be accurate to about 2 square kilometers. Clearly, this method of tracking is not meant to monitor individual movements, but rather gain a sense of who’s been around which general area.
This data could be used to find lockdown violators, if one considers that a phone connecting in Hillbrow for the first 11 days of lockdown, and then connecting in Morningside for the next 5, likely indicates a person has moved for an extended period of time.
Communications minister Stella Ndabeni-Abrahams said that South African network providers have agreed to provide government with location data to help fight COVID-19.
Details on how the data will be used, and what it will used to determine, are still unclear.