Dubbed VeryMal, the malvertising group recently targeted Apple users in a campaign delivering payload hidden in advertisement images. The group got its name for the domain they used since August 2018 – veryield-malyst. In their recent attack the steganography was used to conceal redirect code leading to a fake Flash update.

According to Confiant, the recent attack triggered at least 5 million times a day and lasted for 2 days (11-13 January) targeting US users. Attack peaked on the first day and did cost approximately $1.2 million during its peak activity.

The attack started with publishing the ad containing the image disguising the redirect command. After grabbing the image, the JavaScript code is loaded to check if the certain fonts (Apple fonts) are supported. If they aren’t, then nothing will happen; if they are, then loop through the underlaying data in the image file. Each loop reads a pixel value and translates it into an alphanumeric character, which adds to a string. When the entire code is extracted from the image, the string is executed. The string command redirects the user to a fake Flash update.

According to Adam Thomas of Malwarebytes research, the fake update turned out to be a MacOS adware installer named Shlayer. The malware is detected by 14 antivirus engines on Virustotal database. Shlayer causes the system slowdown and the ad popups, pushing various products user doesn’t need. According to Intergo report from earlier last year, Shlayer was already using shell scipts to download additional malware back then.