Threat Research

Coming Out of Your Shell: From Shlayer to ZShlayer

Securonix

This article analyzes a ZShlayer variant of the macOS Shlayer malware that shifts from Bash to Zsh and uses heavy obfuscation and encoded payloads to evade static detections and Apple Notarization checks. It explains the decoding workflow, how the final payload is retrieved, and the malware’s prevalence in the wild. #Shlayer #ZShlayer

Keypoints

  • Shlayer’s new variant uses Zsh scripts and heavy obfuscation to evade static signatures and Notarization checks.
  • DMG-delivered app bundles replace older DMG-based Mach-O/Bash approaches.
  • The bundle is codesigned but not notarized, indicating potential social engineering or Catalina-era compatibility.
  • Base64-encoded resources and a decode workflow (ZShlayer_decode.py) reveal the payload.
  • Decoded scripts drop a first-stage Bash payload and fetch a second-stage payload from a remote server.
  • The process collects OS version, a session UID and machine ID for server processing.
  • VirusTotal retrohunt shows numerous ZShlayer samples since June 2020 (172 samples in the latest retrohunt).

MITRE Techniques

  • [T1027] Obfuscated/Compressed Files and Information – Heavily obfuscated Zsh scripts and base64-encoded resources used to avoid static detection. ‘In place of a Mach-O in the MacOS folder, we instead find this heavily obfuscated Zsh script (only partially shown in the image below):’
  • [T1140] Deobfuscate/Decode Files or Information – The full ZShlayer_decode.py script is available here. ‘The full ZShlayer_decode.py script is available here.’
  • [T1059.004] Unix Shell – The Zsh script indicates shell execution; ‘Seeing from the shebang that it’s a shell script, however, immediately tells us that we can isolate each command by introducing a line break at every semicolon.’
  • [T1116] Code Signing – The bundle is codesigned, but it has not been notarized; ‘The entire bundle is codesigned, but it is has not been notarized, indicating that the malware is either intended as a payload for 10.14 or earlier installations…’
  • [T1082] System Information Discovery – The script gathers OS version, a session UID and machine ID and posts to the server; ‘The final payload from this point depends on the context of the executing device. As can be seen above, the script gathers OS version, a session UID and machine ID, all of which it posts to the server for processing.’
  • [T1105] Ingress Tool Transfer – The final payload is downloaded from a remote URL (CloudFront) after device context is determined; ‘http[:]//dqb2corklaq0k[.]cloudfront[.]net/ 13[.]226[.]23[.]203’

Indicators of Compromise

  • [Hash] ZShlayer Scripts – 269d5f15da3bc3522ca53a3399dbaf4848f86de35d78c636a78336d46c23951c, e3292268c1d0830e76c3e80b4ea57921b9171027e07f064ef3b867b6d0450191 and other 4 hashes
  • [Hash] Parent DMGs – f6cb7f9593d85f0cd1e81d5b9f520b74d9bf5e829206cefe05b956c0f7638c28, 3e20c0b2979a368c7d38cf305f1f60693375165bb76150ad80dbd34e7e0550ed and other 4 hashes
  • [Domain] C2 domain – http[:]//dqb2corklaq0k[.]cloudfront[.]net/
  • [IP] C2/payload host – 13[.]226[.]23[.]203

Read more: https://www.sentinelone.com/blog/coming-out-of-your-shell-from-shlayer-to-zshlayer/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint