BundloreX – High sierra is not that arid yet…

Author: Roy Avni, Malware Researcher @ Airo Labs

September 13th, 2020

Recently, we’ve spotted a new BundloreX instance injecting search settings after the machine being online for sometime- roughly 1-2 days

Injection is performed via Chrome profile; by that few main goals are achieved. Let’s get the motivation through the full attack chain:


Visiting streaming/torrents sites (like https://redditts.soccerstreams.net/home) brings up the landing page → flashinstall.dmg


Double clicking the .dmg opens up the mount window with instructions:






Here lies a nasty purpose of the developer – by executing the .dmg that way, the app skips on OS security mechanisms such as certificate validation, MRT scan for viruses.

The OS marks the main executable as trusted thus omitts the com.apple.quarantine xattr.

Then we go through an ordinary installation with offers etc:

                                                     At the end we get an agent installed.





Aiming to ‘updater’ which basically hangs for one and half days, then pulls the search injector from http://searches.network/downloads/macsearch.dmg

Let’s focus in the last few lines that define two logs files; ygu_output.log, ygu_error.log

If we look at ygu_error.log we observe the first logs were fired by “updater”, and 1.5 days later they are switched to be created by “Search”, the macsearch.dmg executable.

Thanks to the developer, we can easily follow the infection process of Chrome:


Fortunately the Safari injection is failish; after being rude (first line) and apparently trying to remove existing safari extensions [that might be controlling the Search settings].

The developer forgot to chmod +x /Applications/SearchAppExtension.app for the current user. Doing that and running the executable directly would just work for him.


                               This is how the injected browser looks like:



Final words:

Although the majority of users have upgraded to newer OS versions, we still see a decent amount of attack vectors in High Sierra. 

It’s somewhere an easy win for malware developers because as Apple stopped pushing any security for this version, they don’t have to care anymore to circumvent new security restrictions.

As public awareness of malware in Mac arises, we see an effort from malware actors to hide their activity as much as possible like this post shows: hanging for sometime before taking action, and installing a Chrome profile with shell command behind the scenes.




com.ygu.updater.agent.plist 119cdaa7b8e9baeb2955d3948b3c1cac3b7d98b08c0efa42ab6114a9b693548e  





Subscribe to our blog

Get Airo

Try Airo AV and Airo Web Protection

Try Airo