Login

BundloreX – High sierra is not that arid yet…

Author: Roy Avni, Malware Researcher @ Airo Labs

September 13th, 2020

Recently, we’ve spotted a new BundloreX instance injecting search settings after the machine being online for sometime- roughly 1-2 days

Injection is performed via Chrome profile; by that few main goals are achieved. Let’s get the motivation through the full attack chain:

 

Visiting streaming/torrents sites (like https://redditts.soccerstreams.net/home) brings up the landing page → flashinstall.dmg

 

Double clicking the .dmg opens up the mount window with instructions:

 

 

 

 

 

Here lies a nasty purpose of the developer – by executing the .dmg that way, the app skips on OS security mechanisms such as certificate validation, MRT scan for viruses.

The OS marks the main executable as trusted thus omitts the com.apple.quarantine xattr.

Then we go through an ordinary installation with offers etc:

                                                     At the end we get an agent installed.

 

 

 

 

Aiming to ‘updater’ which basically hangs for one and half days, then pulls the search injector from http://searches.network/downloads/macsearch.dmg

Let’s focus in the last few lines that define two logs files; ygu_output.log, ygu_error.log

If we look at ygu_error.log we observe the first logs were fired by “updater”, and 1.5 days later they are switched to be created by “Search”, the macsearch.dmg executable.

Thanks to the developer, we can easily follow the infection process of Chrome:

 

Fortunately the Safari injection is failish; after being rude (first line) and apparently trying to remove existing safari extensions [that might be controlling the Search settings].

The developer forgot to chmod +x /Applications/SearchAppExtension.app for the current user. Doing that and running the executable directly would just work for him.

 

                               This is how the injected browser looks like:

 

 

Final words:

Although the majority of users have upgraded to newer OS versions, we still see a decent amount of attack vectors in High Sierra. 

It’s somewhere an easy win for malware developers because as Apple stopped pushing any security for this version, they don’t have to care anymore to circumvent new security restrictions.

As public awareness of malware in Mac arises, we see an effort from malware actors to hide their activity as much as possible like this post shows: hanging for sometime before taking action, and installing a Chrome profile with shell command behind the scenes.

 

flashinstaller.dmg 

7f0daf43b622e020d5c1d0f95fa4eb9a5deca0c8b9e2364623e1ebf61dc92455

com.ygu.updater.agent.plist 119cdaa7b8e9baeb2955d3948b3c1cac3b7d98b08c0efa42ab6114a9b693548e  

updater 

d0125f20bb7d0b31952d37cb02d99f6993393eeba97a41d2d31f5c4ce55dbd03

macsearch.dmg

3981c9b076b58a46e883eea60d09cf8be27eaa95607fedb719ed7f29697c8b49

Subscribe to our blog

Get Airo

Try Airo AV and Airo Web Protection

Try Airo