Dubbed VeryMal, the malvertising group recently targeted Apple users in a campaign delivering payload hidden in advertisement images. The group got its name for the domain they used since August 2018 – veryield-malyst. In their recent attack the steganography was used to conceal redirect code leading to a fake Flash update.
According to Confiant, the recent attack triggered at least 5 million times a day and lasted for 2 days (11-13 January) targeting US users. Attack peaked on the first day and did cost approximately $1.2 million during its peak activity.
According to Adam Thomas of Malwarebytes research, the fake update turned out to be a MacOS adware installer named Shlayer. The malware is detected by 14 antivirus engines on Virustotal database. Shlayer causes the system slowdown and the ad popups, pushing various products user doesn’t need. According to Intergo report from earlier last year, Shlayer was already using shell scipts to download additional malware back then.