The situation: A user downloaded software from a torrent site that was compromised. There are some dangerous torrent websites on the web that might show you a lot of questionable intrusive ads or even spread malware on your system. Whichever torrent site you use, it’s important to take a few precautionary safety measures, such as using a VPN, to keep your data safe and your identity anonymous. When downloading software from compromised sites businesses are at risk of having compromised employee files, payroll information and other valuable company data.

Analysis of the Incident: There were signs of an internal endpoint sending out a signal to an external server, which is indicative of a command and control server communication. It is likely that cracked (illegal) software was downloaded on this machine, which potentially allowed this malware onto the endpoint.

Technical Details: “Shlayer” is a malware downloader designed to disguise itself as a fake Adobe Flash Player update, and various adware to potentially unwanted applications to promote fake search engines which spreads via BitTorrent file sharing sites when a user attempts to click a link to copy a torrent magnet link. This malware is also designed to scan compromised hosts for macOS anti-cirus products. This is certainly a malicious file, which downloads a zip file onto the machine to gain access to the host machine.Collaborate With Your Employees.

Actions Taken: The SOC team preformed an analysis on the pcap file, and did extensive OSINT on the malware in question. The result from the analysis ensured that this was not a false alert. Recommendations were given to the user and client to find and remove a file immediately to prevent any further issues within their systems.

Threat actors have been turning to scripting languages as a preferred means of both dropping malware and executing payloads. That trend has continued with some interesting innovations in response to the static detection signatures now widely in use both by Apple and other vendors.

Tarmac is distributed through OSX/ Shlayer, Research shows that OSX/Shlayer is distributed through various deceptive web pages which informs visitors that their installed Adobe Flash Player is out of date. When showing this message it encourages uses to update it by downloading a file that will infect a computer with the downloaded malware. Removing viruses from your system can help avoid an attack. To remove the Tarmac Trojan virus on your Mac device follow these steps;

  1. Remove potentially unwanted applications from your “Applications” folder: Click the Finder
  2. In the Finder window, select “Applications”.
  3. In the applications folder, look for “MPlayerX”, “NicePlayer”, or other suspicious applications and drag them to the
  4. After removing the potentially unwanted application(s) that cause online ads, scan your device.