OSX/Shlayer - S0402 (f1314e75-ada8-49f4-b281-b1fb8b48f2a7)

OSX/Shlayer is a Trojan designed to install adware on macOS that was first discovered in 2018.(Citation: Carbon Black Shlayer Feb 2019)(Citation: Intego Shlayer Feb 2018)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	OSX/Shlayer - S0402 (f1314e75-ada8-49f4-b281-b1fb8b48f2a7)	Malware	1
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	OSX/Shlayer - S0402 (f1314e75-ada8-49f4-b281-b1fb8b48f2a7)	Malware	1
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	OSX/Shlayer - S0402 (f1314e75-ada8-49f4-b281-b1fb8b48f2a7)	Malware	1
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	OSX/Shlayer - S0402 (f1314e75-ada8-49f4-b281-b1fb8b48f2a7)	Malware	1
OSX/Shlayer - S0402 (f1314e75-ada8-49f4-b281-b1fb8b48f2a7)	Malware	Browser Extensions - T1176 (389735f1-f21c-4208-b8f0-f8031e7169b8)	Attack Pattern	1
OSX/Shlayer - S0402 (f1314e75-ada8-49f4-b281-b1fb8b48f2a7)	Malware	Linux and Mac File and Directory Permissions Modification - T1222.002 (09b130a2-a77e-4af0-a361-f46f9aad1345)	Attack Pattern	1
OSX/Shlayer - S0402 (f1314e75-ada8-49f4-b281-b1fb8b48f2a7)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	1
OSX/Shlayer - S0402 (f1314e75-ada8-49f4-b281-b1fb8b48f2a7)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	1
OSX/Shlayer - S0402 (f1314e75-ada8-49f4-b281-b1fb8b48f2a7)	Malware	Elevated Execution with Prompt - T1548.004 (b84903f0-c7d5-435d-a69e-de47cc3578c0)	Attack Pattern	1
Ignore Process Interrupts - T1564.011 (4a2975db-414e-4c0c-bd92-775987514b4b)	Attack Pattern	OSX/Shlayer - S0402 (f1314e75-ada8-49f4-b281-b1fb8b48f2a7)	Malware	1
Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	OSX/Shlayer - S0402 (f1314e75-ada8-49f4-b281-b1fb8b48f2a7)	Malware	1
Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56)	Attack Pattern	OSX/Shlayer - S0402 (f1314e75-ada8-49f4-b281-b1fb8b48f2a7)	Malware	1
OSX/Shlayer - S0402 (f1314e75-ada8-49f4-b281-b1fb8b48f2a7)	Malware	Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d)	Attack Pattern	1
OSX/Shlayer - S0402 (f1314e75-ada8-49f4-b281-b1fb8b48f2a7)	Malware	Gatekeeper Bypass - T1553.001 (31a0a2ac-c67c-4a7e-b9ed-6a96477d4e8e)	Attack Pattern	1
OSX/Shlayer - S0402 (f1314e75-ada8-49f4-b281-b1fb8b48f2a7)	Malware	Resource Forking - T1564.009 (b22e5153-ac28-4cc6-865c-2054e36285cb)	Attack Pattern	1
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	2
File and Directory Permissions Modification - T1222 (65917ae0-b854-4139-83fe-bf2441cf0196)	Attack Pattern	Linux and Mac File and Directory Permissions Modification - T1222.002 (09b130a2-a77e-4af0-a361-f46f9aad1345)	Attack Pattern	2
Elevated Execution with Prompt - T1548.004 (b84903f0-c7d5-435d-a69e-de47cc3578c0)	Attack Pattern	Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b)	Attack Pattern	2
Ignore Process Interrupts - T1564.011 (4a2975db-414e-4c0c-bd92-775987514b4b)	Attack Pattern	Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	2
Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	2
Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d)	Attack Pattern	2
Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7)	Attack Pattern	Gatekeeper Bypass - T1553.001 (31a0a2ac-c67c-4a7e-b9ed-6a96477d4e8e)	Attack Pattern	2
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	Resource Forking - T1564.009 (b22e5153-ac28-4cc6-865c-2054e36285cb)	Attack Pattern	2