Shlayer Trojan family spreads via partner network of entertainment sites

Woburn, MA – January 23, 2020 — / — In 2019, Kaspersky prevented attacks carried out by Shlayer, a malware Trojan family, at least once on every 10th device using Kaspersky Solutions for Mac, making this threat the most widespread for macOS users. A smart malware distribution system, Shlayer spreads via a partner network, entertainment websites and even Wikipedia, demonstrating that even users who only visit legal sites still need additional protection online.

Despite macOS’ reputation as a much safer and more secure system, there are still cybercriminals trying their luck to profit from macOS users, and Shlayer is a perfect example. It specializes in the installation of adware – programs that terrorize users by feeding illicit ads, intercepting and gathering users’ browser queries, and modifying search results to distribute even more advertising messages.

Shlayer’s share among all attacks on macOS devices registered by Kaspersky products in January – November 2019 amounted to almost a third (29.28%), with nearly all other top 10 macOS threats being the adware that Shlayer installs: AdWare.OSX.Bnodlero, AdWare.OSX.Geonei, AdWare.OSX.Pirrit and AdWare.OSX.Cimpli. Furthermore, ever since Shlayer was first detected, its infection algorithm has hardly changed, even though its activity barely decreased, making it an especially relevant threat that users need protection from.

Verdict Share of attacked users
HEUR:Trojan-Downloader.OSX.Shlayer.a 29.28%
not-a-virus:HEUR:AdWare.OSX.Bnodlero.q 13.46%
not-a-virus:HEUR:AdWare.OSX.Spc.a 10.20%
not-a-virus:HEUR:AdWare.OSX.Pirrit.p 8.29%
not-a-virus:HEUR:AdWare.OSX.Pirrit.j 7.98%
not-a-virus:AdWare.OSX.Geonei.ap 7.54% 7.47%
not-a-virus:HEUR:AdWare.OSX.Bnodlero.t 6.49%
not-a-virus:HEUR:AdWare.OSX.Pirrit.o 6.32%
not-a-virus:HEUR:AdWare.OSX.Bnodlero.x 6.19%

Top 10 macOS threats by share of attacked users of Kaspersky products for macOS, January – November 2019

The infection process often consists of two phases. First, the user installs Shlayer, then the malware installs a selected type of adware. Device infection, however, starts with an unwitting user downloading the malicious program. In order to achieve installations, the threat actor behind Shlayer set up a distribution system with a number of channels leading users to download the malware.

Shlayer is offered as a way to monetize websites in a number of file partner programs, with relatively high payment for each malware installation made by American users, prompting over 1,000 “partner sites” to distribute Shlayer. This scheme works as follows: a user looks for a TV series episode or a sports broadcast, and advertising landing pages redirect them to fake Flash Player update pages. From here, the victim would download the malware. For every such installation, the partner who distributed links to the malware receives a pay-per-install payment.

Example of Shlayer landing page

Other schemes lead to a fake Adobe Flash update page redirecting users from various large online services with multi-million-visitor audiences, including YouTube, where links to the malicious website were included in video descriptions, and Wikipedia, where such links were hidden in the articles’ references. Users that clicked on these links would also get redirected to the Shlayer download landing pages. Kaspersky researchers found 700 domains with malicious content, links to which were placed on a variety of legitimate websites.


YouTube video and Wikipedia page with malicious links in description

Almost all of the websites leading to a fake Flash Player contained content in English. This corresponds with the top countries where users have been affected by the threat – the USA (31%), Germany (14%), France (10%) and the UK (10%).

Shlayer victims’ geography, February 2018 – October 2019

“The macOS platform is a good source of revenue for cybercriminals, who are constantly looking for new ways to deceive users, and actively use social engineering techniques to spread their malware,” said Anton Ivanov, Kaspersky security analyst. “This case demonstrates that such threats can be found even on legitimate sites. Luckily for macOS users, the most widespread threats that target macOS currently revolve around feeding illicit advertising, rather than something more dangerous, such as stealing financial data. A good web security solution can protect users from threats such as these, making the experience of searching the web safe and pleasant.”

Kaspersky solutions detect Shlayer and its artefacts with the following verdicts:

  • HEUR:Trojan-Downloader.OSX.Shlayer.*
  • not-a-virus:HEUR:AdWare.OSX.Cimpli.*
  • not-a-virus:AdWare.Script.SearchExt.*
  • not-a-virus:AdWare.Python.CimpliAds.*
  • not-a-virus:HEUR:AdWare.Script.MacGenerator.gen

Pages, artefacts and links for this Trojan family, as well as additional details of the findings, can be found on

To reduce the risk of infection with Trojans such as Shlayer, Kaspersky recommends:

  • Installing programs and updates only from trusted sources
  • Finding out more information about the entertainment website you are planning to visit: scan its reputation on the internet and try to find feedback on it
  • Using a reliable security solution like Kaspersky Security Cloud that delivers advanced protection on Mac, as well as on PC and mobile devices

About Kaspersky
Kaspersky is a global cybersecurity company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 270,000 corporate clients protect what matters most to them. Learn more at

Media Contact:
Cassandra Faro

Source: Kaspersky




General Tags: data security, top rated online backups, online backup providers directory, SaaS, compare online backups, online backup reviews, online backup companies, online backup, online file backup, online backup news, backing up online, online file storage, data storage, online backup services, CEO interviews, online data backup, cloud computing, software as a service

Like us on Facebook

Do you like this post? Subscribe to our RSS feed ===========================


Related posts:

  1. Kaspersky Lab and INTERPOL Survey Reports: 60 Percent of Android Attacks Use Financial Malware
  2. Remote Access Nightmare: Amount of Malware Found to be Backdoors Increases by 44% in 2018
  3. Number of Mobile Malware Attacks Doubles in 2018, as Cybercriminals Sharpen their Distribution Strategies
  4. Kaspersky Lab Number of the Year 2016: 323,000 Pieces of Malware Detected Daily
  5. New F-Secure Report Warns of Growth in Extortion Malware
  6. Over 900,000 Users Hit in a Year by Fake Video Games Spreading Malware, Kaspersky Research Finds
  7. Kaspersky Research Finds Over a Third of Banking Malware Attacks Targeting Corporate Users in 2019
  8. Kaspersky Lab Reports: Finance-Related Malware Attacks Rose to 28 Million in 2013
  9. Kaspersky Research Finds Continued Growth in Cyberthreats to Apple Users
  10. Cybercriminals Using Popular TV Shows to Spread Malware, Finds Kaspersky Lab