Skip to content ↓ | Skip to navigation ↓

A short-lived malvertising campaign leveraged a steganography-based payload to target Mac users with the Shlayer trojan.

Named for its use of veryield-malyst[dot]com as one of its ad-serving domains, the “VeryMal” threat actor conducted its malvertising campaign between 11 January 2019 and 13 January 2019. That’s not a long time period to remain active. But the campaign boosted its visibility by affecting two top-tier exchanges that account for approximately a quarter of the top 100 publisher sites.

Anti-malware software provider Confiant believes that this technique helped the malvertising operation generate as many as five million impressions each day it was active.

Infection began when a Mac user came across an ad containing the image of a small white bar.

The image file observed by Confiant.

This file might look unremarkable. But that wasn’t the case below the surface. That’s because VeryMal had created a Canvas object, which enabled the HTML5 Canvas API to interact with images and their underlying data.

Via the use steganography, the image file contained code that enabled it to check if the user’s machine supported Apple fonts. If it didn’t, the program terminated. If it did, it looped through the file’s underlying data and in so doing built code necessary for redirecting the victim.

At that point, the user landed on a web page warning them that their Adobe Flash Player software was out-of-date. It then deployed a fake Flash update named “AdobeFlashPlayerInstaller.iso.” This binary, as analyzed by Adam Thomas at Malwarebytes, turned out to be the Shlayer trojan, malware which is known for masquerading as fake Flash updates in order to infect unsuspecting Mac users.

Eliya Stein, who does security engineering and research at Confiant, says this campaign illustrates malvertising actors’ drive to evade detection mechanisms:

As malvertising detection continues to mature, sophisticated attackers are starting to learn that obvious methods of obfuscation are no longer getting the job done. The output of common JavaScript obfuscators is a very particular type of gibberish that can easily be recognized by the naked eye. Techniques like steganography are useful for smuggling payloads without relying on hex encoded strings or bulky lookup tables.

Additional insight into this campaign can be found in Stein’s blog post.