The Uptycs threat research team has been observing over 90% of macOS malware in our daily analysis and customer telemetry alerts using shell scripts. Though these scripts have slight variations, they mostly belong to a plague of adware strains—Shlayer and Bundlore. These malware are the most predominant malware in macOS, also with a history of evading and bypassing the built-in Xprotect, Gatekeeper, Notarization and File Quarantine security features of macOS.
In this post, we will showcase the different variants of malicious shell scripts used in Shlayer and Bundlore that have been constantly in the rounds. We will also discuss the inbuilt macOS utilities leveraged by these malwares and showcase the Uptycs EDR detection capabilities.