DOCSLIB.ORG

A Dangerous Trend of Cybercrime: Ransomware Growing Challenge

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

International Journal of Advanced Research in Computer Engineering & Technology (IJARCET) Volume 5 Issue 2, February 2016 A Dangerous Trend of Cybercrime: Ransomware Growing Challenge Dr.P.B.Pathak Assistant Professor & Head, Department of Computer Science & Information Technology Yeshwant Mahavidyalaya Nanded Maharashtra, India computer or device, preventing victims from using it. Locker Abstract— Recently computers are used massively due to Ransomware use payment vouchers and Crypto Ransomware advent of the internet and technology, so as cybercriminals also use it’s Bitcoins for payment. Ransomware is considered a emerged to target innocent users to make money from the Scareware as it scares users to pay a fee or ransom. Paying for victims. People across the globe are subjected to extortion on a very large scale. Ransomware is modern and technology the ransom does not guarantee that users can eventually be enabled way of extortion. Ransomware stops you from using able to access the infected system.[11] your system or device and holds your system/device or files for ransom. The present research paper discusses Ransomware all Users may witness Ransomware threat through a variety of round i.e. What is it? What are various forms of it? How it ways. Ransomware can be downloaded by unaware users by works? How to prevent it? visiting malicious or compromised websites. It can also arrive as a either dropped or downloaded payload by other Index Terms—Bitcoin, CryptoLocker, Cybercrime, Malware, Ransomware malware. It may arrive as an attachment to a spammed email. Cybercriminals behind Ransomware are ever innovative. Ransomware attacks often use tactics like entrusting I. INTRODUCTION pornography on your screen to demand you pay a ransom to Ransomware is a kind of malware that attempts to extort remove the pornography.[2] money from a computer user by infecting and taking control of the victim’s machine, or the files or documents stored on II. RANSOMWARE AND TYPES it. Generally, the Ransomware either locks the computer to These Ransomware systematically progressed and prevent normal usage, or encrypts the documents and files on improved with the technological advances and widespread it to prevent access to the documents and files. The ransom use of Internet, to make it more scary and powerful over the demand is displayed, usually either via a text file or as a years. [3,13] webpage in the web browser. This type of malware exploits FAKEAV malware forces users to purchase their the victim's embarrassment or fear to force them pay the bogus antimalware software by showing fake ransom demanded. Ransomware may arrive as part of antimalware scanning results. another malware's payload, or may be delivered by an exploit A Ransomware zip’s certain type of files usually kit to exploit vulnerabilities on the affected computer and it .DOC, .XL, .DLL, .EXE and overwrites these, silently installs and executes the malware.[1] keeping only the password protected zip files in the user’s system along with a ransom note in the Ransomware is a way of direct and large scale revenue notepad. generation using Crypto Ransomware and Locker SMS Ransomware asks to call a premium SMS Ransomware. Crypto Ransomware encrypts personal data number and also displays a Ransomware page and files on computer and Locker Ransomware locks the continuously to users as long as they do not pay the ransom. Manuscript received Feb, 2016. A Ransomware targets Master Boot Record of a Dr.P.B.Pathak, Assistant Professor & Head, vulnerable system to prevent the operating system Department of Computer Science & Information Technology Yeshwant Mahavidyalaya Nanded,Maharashtra, India from loading and displays its ransom notification. Reveton or Police Ransomware impersonates local ISSN: 2278 – 1323 All Rights Reserved © 2016 IJARCET 371 International Journal of Advanced Research in Computer Engineering & Technology (IJARCET) Volume 5 Issue 2, February 2016 police by showing a notification page, informing This typically locks the computer’s or device’s user interface them that they were caught doing an illegal or and then asks the user to pay a fee to restore access to it. malicious activity online. Reveton employ different Locked computers will remains with limited capabilities. payment methods. Locker Ransomware leaves the underlying system and files Some Ransomware play an audio recording using the untouched meaning that the malware can potentially be victim’s native language and some bears a fake removed to restore a computer to original state. This dims digital certificate. effectiveness of locker Ransomware at extracting ransom CryptoLocker Ransomware encrypts files, rather than payments compared with its more destructive variants of locking the system to ensure that users will pay Crypto Ransomware. This type of Ransomware often though the malware is deleted. The spammed impersonate as police authorities and claims to issue fines to message contain malicious attachment, users for alleged online imprudence or criminal activities.[5] downloading attachment downloads the CryptoLocker malware. Crypto Ransomware finds and encrypts valuable data stored CryptoDefense or Cryptorbit, malware demands on the computer, making the data useless unless the user payment for its decryption services. This can easily obtains the decryption key. The developers of Crypto spread compared to other via removable drives Ransomware know that data on computers is very important eliminating need of relying on downloader malware to users and they may be desperate to get their data back, to infect systems. This malware not only encrypts preferring to pay the ransom to restore access and avoid database, web, Office, video, images, scripts, text, painful consequences. Crypto Ransomware unnoticeably and other non binary files but also deletes backup searches for files and encrypts them. Its goal is to stay files to prevent restoration of encrypted files. [9,12] unnoticed until it can find and encrypt all of the files that BitCrypt is more refined Ransomware incorporate could be important and valuable to the user. By this time the Cryptocurrency e.g., Bitcoin theft with two variants victim receives the malware’s message that that their data is first uses an English ransom note and the second encrypted. With Crypto Ransomware infections, mostly the uses a multilingual ransom note. affected computer continues to work normally, and users can CRIBIT malware also extorts in the form of Bitcoins still use the computer apart from accessing encrypted data. for unlocking files. [9] FAREIT variant, information stealing malware can steal information from various Cryptocurrency Police themed Ransomware cleverly present their ransom wallets containing important information like demands as official looking warning messages from a local transaction records, user preferences, and accounts. police. Ransom message claim that the user's computer is CryptoLocker variant Ransomware abuse Windows locked after the police identified it as being used to visit PowerShell feature to encrypt files to make threats illegal websites related to terrorism or abuse and that undetected on the system and/or network. payment of a fine is required to settle the offense and A police Ransomware infects a known critical file, directions for paying it via anonymous, untraceable user32.DLL and locks the screen of the infected disposable cash cards. TorrentLocker and CryptoWall computer thereby prevents detection by behavioral malware variants are difficult to beat and grow their monitoring tool. The infected user32.DLL will disjointed criminal activity into coordinated, improved begin a chain of routines that ends with the stealth and effective business operations. Ransomware attack Ransomware being loaded, locking the computer’s methods advanced in techniques and increased in profit in screen and projecting a ransom image messages. past few years. The social engineering has increased [10] infection rates considerably. [15] Critroni or Curve-Tor-Bitcoin (CTB) Locker Ransomware uses the Tor network to mask its C&C TorrentLocker, is successful due to its targeted campaigns. communications, asks for Bitcoins as ransom. CTB The infection chain involves a three step process: Locker variant TorrentLocker Ransomware adds URL Redirection, CAPTCHA code and redirection to a spoofed site. Getting on Malicious Page, Crowti or Cryptowall, and FakeBsod are CAPTCHA code Verification. Ransomware families. FakeBsod uses a malicious Attackers compromise web servers and redirect the URL, piece of JavaScript code to lock your web browser eventually victim gets on page controlled by cybercriminal, and show a fake warning message when you visit and victim is required to complete simple CAPTCHA code infected or malicious webpage. The warning verification test. Immediately after entering the CAPTCHA, message tells you to call the phone number in the the TorrentLocker malware is extracted and executes its message and you will be asked to pay money to fix commands to encrypt files. CryptoWall has been used to the issue.[4,14] exploit unsuspecting businesses. The timing and design of socially engineered attack keeps recipients clueless to III. HOW RANSOMWARE WORKS understand that they are attacked. The CryptoWall 3.0 uses Locker Ransomware denies access to computing resources. AES algorithms to encrypt files and an RSA to encrypt the ISSN: 2278 – 1323 All Rights Reserved © 2016 IJARCET 372 International Journal of Advanced Research in Computer Engineering
Recommended publications
  • The Evolution of Ransomware

    The Evolution of Ransomware

    The evolution of ransomware SECURITY RESPONSE The evolution of ransomware Kevin Savage, Peter Coogan, Hon Lau Version 1.0 – August 6, 2015 Never before in the history of human kind have people across the world been subjected to extortion on a massive scale as they are today. CONTENTS OVERVIEW ..............................................................................3 Key information ......................................................................5 Types of ransomware .............................................................5 How ransomware has evolved ...............................................7 Targets for ransomware .......................................................13 Systems impacted by ransomware ......................................14 Ransomware: How it works ..................................................18 Ransom techniques ..............................................................27 How widespread is the problem of ransomware .................33 What does the future hold for ransomware? .......................37 Conclusion ............................................................................45 Appendix ..............................................................................47 Mitigation strategies ............................................................51 Symantec detections for common ransomware families 54 Resources .............................................................................56 OVERVIEW Never before in the history of human kind have people across the world been
  • Watch out for Fake Virus Alerts

    Watch out for Fake Virus Alerts

    State of West Virginia Cyber Security Tip ALERT West Virginia Office of Information Security and Controls – Jim Richards, WV Chief Information Security Officer WATCH OUT FOR FAKE VIRUS ALERTS Rogue security software, also known as "scareware," is software that appears to be beneficial from a security perspective (i.e. free virus scan) but provides limited or no security, generates erroneous or misleading alerts, or attempts to lure users into participating in fraudulent transactions. How does rogue security software get on my computer? Rogue security software designers create legitimate looking pop-up windows that advertise security update software. These windows might appear on your screen while you surf the web. The "updates" or "alerts" in the pop-up windows call for you to take some sort of action, such as clicking to install the software, accept recommended updates, or remove unwanted viruses or spyware. When you click, the rogue security software downloads to your computer. Rogue security software might also appear in the list of search results when you are searching for trustworthy antispyware software, so it is important to protect your computer. What does rogue security software do? Rogue security software might report a virus, even though your computer is actually clean. The software might also fail to report viruses when your computer is infected. Inversely, sometimes, when you download rogue security software, it will install a virus or other malicious software on your computer so that the software has something to detect. Some rogue security software might also: Lure you into a fraudulent transaction (for example, upgrading to a non-existent paid version of a program).
  • ESET Observed That the Focus of Android Ransomware Operators Cybercriminals, Even Though It Had Been Around for Many Years Before

    ESET Observed That the Focus of Android Ransomware Operators Cybercriminals, Even Though It Had Been Around for Many Years Before

    TRENDS IN ANDROID RANSOMWARE Authors Robert Lipovský – Senior Malware Researcher Lukáš Štefanko – Detection Engineer Gabriel Braniša – Malware Researcher The Rise of Android Ransomware Contents SUMMARY 2 RANSOMWARE ON ANDROID 2 Common infection vectors 3 Malware c&c communication 3 Malware self-protection 4 ANDROID RANSOMWARE CHRONOLOGY 5 Android defender 5 Ransomware meets fake av, meets…porn 7 Police ransomware 8 Simplocker 9 Simplocker distribution vectors 9 Simplocker in English 10 Lockerpin 11 Lockerpin’s aggressive self–defense 12 Jisut 13 Charger 15 HOW TO KEEP YOUR ANDROID PROTECTED 15 – 1 – The Rise of Android Ransomware SUMMARY RANSOMWARE ON ANDROID 2016 brought some interesting developments to the Android ransomware Ransomware, as the name suggests, is any type of malware that demands scene Ransomware is currently one of the most pressing cybersecurity a sum of money from the infected user while promising to “release” issues across all platforms, including the most popular mobile one a hijacked resource in exchange There are two general categories of malware that fall under the “ransomware” label: Authors of lock-screen types as well as file-encrypting “crypto-ransomware” have used the past 12 months to copycat effective techniques from desktop • Lock-screen ransomware malware, as well as develop their own sophisticated methods specialized • Crypto-ransomware for targets running Android devices In lock-screen types of ransomware, the hijacked resource is access to the In addition to the most prevalent scare tactics used by lock-screen
  • Mcafee Potentially Unwanted Programs (PUP) Policy March, 2018

    Mcafee Potentially Unwanted Programs (PUP) Policy March, 2018

    POLICY McAfee Potentially Unwanted Programs (PUP) Policy March, 2018 McAfee recognizes that legitimate technologies such as commercial, shareware, freeware, or open source products may provide a value or benefit to a user. However, if these technologies also pose a risk to the user or their system, then users should consent to the behaviors exhibited by the software, understand the risks, and have adequate control over the technology. McAfee refers to technologies with these characteristics as “potentially unwanted program(s),” or “PUP(s).” The McAfee® PUP detection policy is based on the process includes assessing the risks to privacy, security, premise that users should understand what is being performance, and stability associated with the following: installed on their systems and be notified when a ■ Distribution: how users obtain the software including technology poses a risk to their system or privacy. advertisements, interstitials, landing-pages, linking, PUP detection and removal is intended to provide and bundling notification to our users when a software program or technology lacks sufficient notification or control over ■ Installation: whether the user can make an informed the software or fails to adequately gain user consent to decision about the software installation or add- the risks posed by the technology. McAfee Labs is the ons and can adequately back out of any undesired McAfee team responsible for researching and analyzing installations technologies for PUP characteristics. ■ Run-Time Behaviors: the behaviors exhibited by the technology including advertisements, deception, and McAfee Labs evaluates technologies to assess any impacts to privacy and security risks exhibited by the technology against the degree of user notification and control over the technology.
  • A Systematic Empirical Analysis of Unwanted Software Abuse, Prevalence, Distribution, and Economics

    A Systematic Empirical Analysis of Unwanted Software Abuse, Prevalence, Distribution, and Economics

    UNIVERSIDAD POLITECNICA´ DE MADRID ESCUELA TECNICA´ SUPERIOR DE INGENIEROS INFORMATICOS´ A Systematic Empirical Analysis of Unwanted Software Abuse, Prevalence, Distribution, and Economics PH.D THESIS Platon Pantelis Kotzias Copyright c 2019 by Platon Pantelis Kotzias iv DEPARTAMENTAMENTO DE LENGUAJES Y SISTEMAS INFORMATICOS´ E INGENIERIA DE SOFTWARE ESCUELA TECNICA´ SUPERIOR DE INGENIEROS INFORMATICOS´ A Systematic Empirical Analysis of Unwanted Software Abuse, Prevalence, Distribution, and Economics SUBMITTED IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF: Doctor of Philosophy in Software, Systems and Computing Author: Platon Pantelis Kotzias Advisor: Dr. Juan Caballero April 2019 Chair/Presidente: Marc Dasier, Professor and Department Head, EURECOM, France Secretary/Secretario: Dario Fiore, Assistant Research Professor, IMDEA Software Institute, Spain Member/Vocal: Narseo Vallina-Rodriguez, Assistant Research Professor, IMDEA Networks Institute, Spain Member/Vocal: Juan Tapiador, Associate Professor, Universidad Carlos III, Spain Member/Vocal: Igor Santos, Associate Research Professor, Universidad de Deusto, Spain Abstract of the Dissertation Potentially unwanted programs (PUP) are a category of undesirable software that, while not outright malicious, can pose significant risks to users’ security and privacy. There exist indications that PUP prominence has quickly increased over the last years, but the prevalence of PUP on both consumer and enterprise hosts remains unknown. Moreover, many important aspects of PUP such as distribution vectors, code signing abuse, and economics also remain unknown. In this thesis, we empirically and sys- tematically analyze in both breadth and depth PUP abuse, prevalence, distribution, and economics. We make the following four contributions. First, we perform a systematic study on the abuse of Windows Authenticode code signing by PUP and malware.
  • Solution Brief Recovering from Ransomware with Barracuda Backup

    Solution Brief Recovering from Ransomware with Barracuda Backup

    Solution Brief Recovering from Ransomware with Barracuda Backup Ransomware is a malware variant that locks an end user’s computer or encrypts their files, then demands a sum of money to allow access or decryption. What’s worse, if an organization hands over the cash, there are often times when the attacker doesn’t play nice and still withholds the key even after payment. Ransomware is problematic for businesses because it not only results in financial loss, but also tainted credibility and lost productivity. However, this situation can be avoided if your organization has taken the steps to implement a ransomware prevention plan. In this solution brief, we will discuss some of the steps you can take to prevent ransomware attacks, as well as how to quickly recover from them using Barracuda Backup. Introduction Due to the sophistication of today’s threat landscape, ransomware can be difficult to catch right at the door. Once this malicious malware crosses the threshold, a business user is hit by a daunting message, informing the user that their computer and files have been seized, and payment is required. What’s equally perturbing is that ransomware doesn’t discriminate—it can happen to the mom and pop shops to large enterprises. It’s not a matter of if a business will get hit, but when. Protecting Your Organization from Ransomware Attackers have created many different variations of ransomware over the past few years, such as CryptoLocker, CryptoWall, TorrentLocker, TeslaCrypt, Locky, Petya, WannaCry, Bad Rabbit, and Samas. Each of these variations use new methods of infecting their victims’ computers, thereby compromising the data and network of many organizations worldwide.
  • Android Malware Category and Family Detection and Identification Using Machine Learning

    Android Malware Category and Family Detection and Identification Using Machine Learning

    Android Malware Category and Family Detection and Identification using Machine Learning Ahmed Hashem El Fiky1*, Ayman El Shenawy1, 2, Mohamed Ashraf Madkour1 1 Systems and Computer Engineering Dept., Faculty of Engineering, Al-Azhar University, Cairo, Egypt. 1 Systems and Computer Engineering Dept., Faculty of Engineering, Al-Azhar University, Cairo, Egypt. 2 Software Engineering and Information Technology, Faculty of Engineering and Technology, Egyptian Chinese University, Cairo, Egypt. [email protected] [email protected] [email protected] Abstract: Android malware is one of the most dangerous threats on the internet, and it's been on the rise for several years. Despite significant efforts in detecting and classifying android malware from innocuous android applications, there is still a long way to go. As a result, there is a need to provide a basic understanding of the behavior displayed by the most common Android malware categories and families. Each Android malware family and category has a distinct objective. As a result, it has impacted every corporate area, including healthcare, banking, transportation, government, and e-commerce. In this paper, we presented two machine- learning approaches for Dynamic Analysis of Android Malware: one for detecting and identifying Android Malware Categories and the other for detecting and identifying Android Malware Families, which was accomplished by analyzing a massive malware dataset with 14 prominent malware categories and 180 prominent malware families of CCCS-CIC- AndMal2020 dataset on Dynamic Layers. Our approach achieves in Android Malware Category detection more than 96 % accurate and achieves in Android Malware Family detection more than 99% accurate. Our approach provides a method for high-accuracy Dynamic Analysis of Android Malware while also shortening the time required to analyze smartphone malware.
  • Trojans and Malware on the Internet an Update

    Trojans and Malware on the Internet an Update

    Attitude Adjustment: Trojans and Malware on the Internet An Update Sarah Gordon and David Chess IBM Thomas J. Watson Research Center Yorktown Heights, NY Abstract This paper continues our examination of Trojan horses on the Internet; their prevalence, technical structure and impact. It explores the type and scope of threats encountered on the Internet - throughout history until today. It examines user attitudes and considers ways in which those attitudes can actively affect your organization’s vulnerability to Trojanizations of various types. It discusses the status of hostile active content on the Internet, including threats from Java and ActiveX, and re-examines the impact of these types of threats to Internet users in the real world. Observations related to the role of the antivirus industry in solving the problem are considered. Throughout the paper, technical and policy based strategies for minimizing the risk of damage from various types of Trojan horses on the Internet are presented This paper represents an update and summary of our research from Where There's Smoke There's Mirrors: The Truth About Trojan Horses on the Internet, presented at the Eighth International Virus Bulletin Conference in Munich Germany, October 1998, and Attitude Adjustment: Trojans and Malware on the Internet, presented at the European Institute for Computer Antivirus Research in Aalborg, Denmark, March 1999. Significant portions of those works are included here in original form. Descriptors: fidonet, internet, password stealing trojan, trojanized system, trojanized application, user behavior, java, activex, security policy, trojan horse, computer virus Attitude Adjustment: Trojans and Malware on the Internet Trojans On the Internet… Ever since the city of Troy was sacked by way of the apparently innocuous but ultimately deadly Trojan horse, the term has been used to talk about something that appears to be beneficial, but which hides an attack within.
  • The Ethics of Cyberwarfare Randall R

    The Ethics of Cyberwarfare Randall R

    This article was downloaded by: [University of Pennsylvania] On: 28 February 2013, At: 08:22 Publisher: Routledge Informa Ltd Registered in England and Wales Registered Number: 1072954 Registered office: Mortimer House, 37-41 Mortimer Street, London W1T 3JH, UK Journal of Military Ethics Publication details, including instructions for authors and subscription information: http://www.tandfonline.com/loi/smil20 The Ethics of Cyberwarfare Randall R. Dipert a a SUNY (State University of New York) at Buffalo, NY, USA Version of record first published: 16 Dec 2010. To cite this article: Randall R. Dipert (2010): The Ethics of Cyberwarfare, Journal of Military Ethics, 9:4, 384-410 To link to this article: http://dx.doi.org/10.1080/15027570.2010.536404 PLEASE SCROLL DOWN FOR ARTICLE Full terms and conditions of use: http://www.tandfonline.com/page/terms-and- conditions This article may be used for research, teaching, and private study purposes. Any substantial or systematic reproduction, redistribution, reselling, loan, sub-licensing, systematic supply, or distribution in any form to anyone is expressly forbidden. The publisher does not give any warranty express or implied or make any representation that the contents will be complete or accurate or up to date. The accuracy of any instructions, formulae, and drug doses should be independently verified with primary sources. The publisher shall not be liable for any loss, actions, claims, proceedings, demand, or costs or damages whatsoever or howsoever caused arising directly or indirectly in connection with or arising out of the use of this material. Journal of Military Ethics, Vol. 9, No. 4, 384Á410, 2010 The Ethics of Cyberwarfare RANDALL R.
  • (Malicious Software) Installed on Your Computer Without Your Consent to Monitor Or Control Your Computer Use

    (Malicious Software) Installed on Your Computer Without Your Consent to Monitor Or Control Your Computer Use

    Spyware is a type of malware (malicious software) installed on your computer without your consent to monitor or control your computer use. Clues that spyware is on a computer may include a barrage of pop-ups, a browser that takes you to sites you don't want, unexpected toolbars or icons on your computer screen, keys that don't work, random error messages, and sluggish performance when opening programs or saving files. In some cases, there may be no symptoms at all. While the term spyware suggests that software that secretly monitors the user's computing, the functions of spyware extend well beyond simple monitoring. Spyware programs can: Collect information stored on the computer or attached network drives, Collect various types of personal information, such as Internet surfing habits, sites that have been visited Collect user names and passwords stored on your computer as well as those entered from the keyboard. Interfere with user control of the computer Install additional software on the computer Redirect Web browser activity. Change computer settings, resulting in slow connection speeds, different home pages, and/or loss of Internet or functionality of other programs. The best defense against spyware and other unwanted software is not to download it in the first place. Here are a few helpful tips that can protect you from downloading software you don't want: Update your operating system and Web browser software, and set your browser security high enough to detect unauthorized downloads. Use anti-virus and anti-spyware, as well as a firewall software, and update them all regularly.
  • Lesson 6: Hacking Malware

    Lesson 6: Hacking Malware

    LESSON 6 HACKING MALWARE Lesson 6: Malware WARNING The Hacker Highschool Project is a learning tool and as with any learning tool there are dangers. Some lessons if abused may result in physical injury. Some additional dangers may also exist where there is not enough research on possible effects of emanations from particular technologies. Students using these lessons should be supervised yet encouraged to learn, try, and do. However ISECOM cannot accept responsibility for how any information herein is abused. The following lessons and workbooks are open and publicly available under the following terms and conditions of ISECOM: All works in the Hacker Highschool Project are provided for non-commercial use with elementary school students, junior high school students, and high school students whether in a public institution, private institution, or a part of home-schooling. These materials may not be reproduced for sale in any form. The provision of any class, course, training, or camp with these materials for which a fee is charged is expressly forbidden without a license including college classes, university classes, trade-school classes, summer or computer camps, and similar. To purchase a license, visit the LICENSE section of the HHS web page at http://www.hackerhighschool.org/licensing.html. The HHS Project is an open community effort and if you find value in this project we ask that you support us through the purchase of a license, a donation, or sponsorship. 2 Lesson 6: Malware Table of Contents WARNING....................................................................................................................................................2
  • A Poisoned Apple: the Analysis of Macos Malware Shlayer By: Minh D

    A Poisoned Apple: the Analysis of Macos Malware Shlayer By: Minh D

    A Poisoned Apple: The Analysis of macOS Malware Shlayer by: Minh D. Nguyen Abstract Historically, the Microsoft Windows operating system family, which currently runs on more than 70 percent of computers in the world,7 has been the main target for malware. However, with the growing popularity of Apple’s MacBook products, the macOS operating system has become a new platform for attackers to target the general computer users. According to the 2016/2017 Security Report of AV-TEST, the number of malware samples for macOS detected in 2016 has increased by an astonishing 370 percent compared to the same figure in 2015.3 In order to address the rising interest of attackers in the macOS operating system, this project provides an analysis of a newly discovered malware for macOS, Shlayer, to reveal a well- known tactic that attackers can utilize to infect machines running on any operating system, and discusses possible countermeasures for this strategy. I. Introduction macOS is often hailed as a more secure operating system compared to its counterpart Microsoft Windows.2 However, in reality, many attacking techniques targeting Windows machines can also be applied to macOS machines. The analysis of the new Shlayer malware, discovered by researchers of Intego in February 2018,1 will reveal a familiar strategy that attackers often utilize to target victim machines without regards of the operating system. With the worldwide growth of macOS usage, it is important to recognize this attacking method and understand that in many cases, the success of an attack does not depend on the security of the operating system but on the awareness of the user.