If you have a good reason to believe, and are able to demonstrate, that a file was mistakenly classified, please complete the following form and provide the file details.
If you believe an application, file or URL you encountered is malicious, tell us about it.
Author: Roy Avni, Malware Researcher @ Airo Labs
Recently, we’ve spotted a new BundloreX instance injecting search settings after the machine being online for sometime- roughly 1-2 days
Injection is performed via Chrome profile; by that few main goals are achieved. Let’s get the motivation through the full attack chain:
Visiting streaming/torrents sites (like https://redditts.soccerstreams.net/home) brings up the landing page → flashinstall.dmg
Double clicking the .dmg opens up the mount window with instructions:
Here lies a nasty purpose of the developer – by executing the .dmg that way, the app skips on OS security mechanisms such as certificate validation, MRT scan for viruses.
The OS marks the main executable as trusted thus omitts the com.apple.quarantine xattr.
Then we go through an ordinary installation with offers etc:
At the end we get an agent installed.
Aiming to ‘updater’ which basically hangs for one and half days, then pulls the search injector from http://searches.network/downloads/macsearch.dmg
Let’s focus in the last few lines that define two logs files; ygu_output.log, ygu_error.log
If we look at ygu_error.log we observe the first logs were fired by “updater”, and 1.5 days later they are switched to be created by “Search”, the macsearch.dmg executable.
Thanks to the developer, we can easily follow the infection process of Chrome:
Fortunately the Safari injection is failish; after being rude (first line) and apparently trying to remove existing safari extensions [that might be controlling the Search settings].
The developer forgot to chmod +x /Applications/SearchAppExtension.app for the current user. Doing that and running the executable directly would just work for him.
This is how the injected browser looks like:
Final words:
Although the majority of users have upgraded to newer OS versions, we still see a decent amount of attack vectors in High Sierra.
It’s somewhere an easy win for malware developers because as Apple stopped pushing any security for this version, they don’t have to care anymore to circumvent new security restrictions.
As public awareness of malware in Mac arises, we see an effort from malware actors to hide their activity as much as possible like this post shows: hanging for sometime before taking action, and installing a Chrome profile with shell command behind the scenes.
flashinstaller.dmg
7f0daf43b622e020d5c1d0f95fa4eb9a5deca0c8b9e2364623e1ebf61dc92455
com.ygu.updater.agent.plist 119cdaa7b8e9baeb2955d3948b3c1cac3b7d98b08c0efa42ab6114a9b693548e
updater
d0125f20bb7d0b31952d37cb02d99f6993393eeba97a41d2d31f5c4ce55dbd03
macsearch.dmg
3981c9b076b58a46e883eea60d09cf8be27eaa95607fedb719ed7f29697c8b49
Try Airo AV and Airo Web Protection