Concept explainers
For the Shalyer malware, please write a short paragraph based on the given background and website info:
- Shalyer – Trojan
Shlayer is a downloader and dropper for MacOS malware. It is primarily distributed through malicious websites, hijacked domains, and malvertizing posing as a fake Adobe Flash updater.
https://www.cisecurity.org/insights/blog/top-10-malware-march-2022
The directory with executable files inside the application package contains two Python scripts: gjpWvvuUD847DzQPyBI (main) and goQWAJdbnuv6 (auxiliary). The latter implements data encryption functions by means of a byte shift on the key key:
- The encryptText/decryptText pair of functions encrypt and decrypt strings;
- encryptList encrypts the contents of the list passed in the arguments; decryptList performs the inverse operation;
- The getKey() function generates an encryption key based on the time in the
operating system .
Shlayer itself performs only the initial stage of the attack — it penetrates the system, loads the main payload, and runs it. The negative consequences for the user can be seen by investigating the AdWare.OSX.Cimpli family, which was being actively downloaded by the Trojan at the time of writing.
The version of Trojan-Downloader.OSX.Shlayer.e discussed above was propagated in a slightly different way. Similar to the previous scheme, users ended up on a page seemingly offering an Adobe Flash update. But they were redirected there from large online services boasting a multimillion-dollar audience.
https://securelist.com/shlayer-for-macos/95724/
Evasion Techniques – Summary
Here is a summary of the evasion techniques implemented by Shlayer:
- Static Detection: In each one of the stages described above, Shlayer decrypts files and executes their code in runtime memory. This technique allows Shlayer to evade static detection
mechanisms , such as old-school static anti-virus solutions. - Code-Signing & Safe-Browsing: Shalyer evades Apple’s Code-Signing and Safe-Browsing security mechanisms (such as by Chrome and Safari), by utilizing dynamic content download (as further described in stage 2 above).
- Network Security: Shlayer transmits encrypted payloads over the network, thus it evades network security solutions.
In Conclusion
The Shlayer Adware disguises as a legitimate Flash-Player installer. It uses a few simple and evasive Bash scripts, which act as droppers. After two stages where Bash scripts are executed, the Mach-O binary installer is executed.
Then victims are fingerprinted as their system information such as MAC address and Hardware UUID is harvested. Finally, Shlayer encrypts the data and sends it to a remote C&C to determine the specific applications and extensions to provide the victim.
The approach of either dropping stages, mixed with the 3rd Mach-O installer, is interesting as it manages to successfully evade all of the following security measures:
- Apple’s built-in security mechanisms
- Antiviruses, either static or dynamic in some cases.
- Network security solutions
https://malwareanalysis.co/the-malware-shlayer/
* A brief description of the malware including:
- the date of the first incident’s report
- How does it work,
* Explain:
- How one should protect his/her system against this malware
- If infected, how one can cope with that? Is there any solution?
Step by stepSolved in 3 steps
- LDAP Injection is a form of web-based attack in which certain parameters in URL or web page form field data entered by a user are changed. TRUE OR FALSEarrow_forwardQUESTION 11 Web caching reduces the delay for accessing all the objects requested by the user. True False QUESTION 12 DNS is an inherently secure protocol True False QUESTION 13 Web applications use cookies to store the state information True False QUESTION 14 FTP is a push protocol? True False QUESTION 15 POP3 is a pull protocol True Falsearrow_forwardTrue or False: DNS root servers typically answer DNS queries with NS records and A records of GTLD (global top-level domain) servers or ccTLD (country code top-level domain) servers. Select one: O True O Falsearrow_forward
- The chapter demonstrates how to decrypt TLS in the Chrome web browser. Try using an other browser, such Firefox or Safari, to check whether it saves SSL key records in the same way as Chrome does. Send in your findings and provide a justification for why a forensics investigator would find them helpful.arrow_forwardDiscuss the trustworthiness of the browser's root certificates.arrow_forwardD Listen 15 A hacker tries to compromise your system by submitting script into a field in a web application that is then stored as data in the web site database. The hacker is anticipating when you navigate to the site that your browser will parse the script and execute it. What type of attack is this? 4 18 Cross-site scripting 21 Buffer overflow 24 Folder traversal 27 O SQL injectionarrow_forward
- The chapter includes a demonstration of how to decrypt TLS using the Chrome web browser. Whether you use a different web browser, such Firefox or Safari, check to see if it saves SSL key records in a manner that is analogous to Chrome's. Your findings should be reported, along with an explanation of why a forensic investigator could find the material relevant.arrow_forwardDO NOT COPY FROM OTHER WEBSITES Upvote guarenteed for a correct and detailed answer. Thank you!!!arrow_forwardQ17arrow_forward
- Match the definition of TTP with it's corresponding relationship Tactic Technique Procedure [Choose ] [Choose Registering a domain called mychasebank.org Attached documents contain malware when open installs keyboard logger Use malware to steal credit card credentials [Choose ]arrow_forwardFind articles that show web application attacks. Discuss what kind of web application attack was that (was it XSS? was it CSRF? was it buffer overflow? was it SQL injection? was it command injection, etc). Check what year the attack took place. Now google, whether this attack was on the TOP 10 OWASP list?arrow_forwardWhat is the purpose of cookies in web development, and how do they work? Provide examples of scenarios where cookies are commonly used.arrow_forward
- Database System ConceptsComputer ScienceISBN:9780078022159Author:Abraham Silberschatz Professor, Henry F. Korth, S. SudarshanPublisher:McGraw-Hill EducationStarting Out with Python (4th Edition)Computer ScienceISBN:9780134444321Author:Tony GaddisPublisher:PEARSONDigital Fundamentals (11th Edition)Computer ScienceISBN:9780132737968Author:Thomas L. FloydPublisher:PEARSON
- C How to Program (8th Edition)Computer ScienceISBN:9780133976892Author:Paul J. Deitel, Harvey DeitelPublisher:PEARSONDatabase Systems: Design, Implementation, & Manag...Computer ScienceISBN:9781337627900Author:Carlos Coronel, Steven MorrisPublisher:Cengage LearningProgrammable Logic ControllersComputer ScienceISBN:9780073373843Author:Frank D. PetruzellaPublisher:McGraw-Hill Education