A short-lived malvertising campaign leveraged a steganography-based payload to target Mac users with the Shlayer trojan.
Named for its use of veryield-malyst[dot]com as one of its ad-serving domains, the “VeryMal” threat actor conducted its malvertising campaign between 11 January 2019 and 13 January 2019. That’s not a long time period to remain active. But the campaign boosted its visibility by affecting two top-tier exchanges that account for approximately a quarter of the top 100 publisher sites.
Anti-malware software provider Confiant believes that this technique helped the malvertising operation generate as many as five million impressions each day it was active.
Infection began when a Mac user came across an ad containing the image of a small white bar.
This file might look unremarkable. But that wasn’t the case below the surface. That’s because VeryMal had created a Canvas object, which enabled the HTML5 Canvas API to interact with images and their underlying data.