If you have a good reason to believe, and are able to demonstrate, that a file was mistakenly classified, please complete the following form and provide the file details.
If you believe an application, file or URL you encountered is malicious, tell us about it.
Author: Roy Avni, Malware Researcher @ Airo Labs
Recently, we’ve spotted a new BundloreX instance injecting search settings after the machine being online for sometime- roughly 1-2 days
Injection is performed via Chrome profile; by that few main goals are achieved. Let’s get the motivation through the full attack chain:
Visiting streaming/torrents sites (like https://redditts.soccerstreams.net/home) brings up the landing page → flashinstall.dmg
Double clicking the .dmg opens up the mount window with instructions:
Here lies a nasty purpose of the developer – by executing the .dmg that way, the app skips on OS security mechanisms such as certificate validation, MRT scan for viruses.
The OS marks the main executable as trusted thus omitts the com.apple.quarantine xattr.
Then we go through an ordinary installation with offers etc:
At the end we get an agent installed.
Aiming to ‘updater’ which basically hangs for one and half days, then pulls the search injector from http://searches.network/downloads/macsearch.dmg
Let’s focus in the last few lines that define two logs files; ygu_output.log, ygu_error.log
If we look at ygu_error.log we observe the first logs were fired by “updater”, and 1.5 days later they are switched to be created by “Search”, the macsearch.dmg executable.
Thanks to the developer, we can easily follow the infection process of Chrome:
Fortunately the Safari injection is failish; after being rude (first line) and apparently trying to remove existing safari extensions [that might be controlling the Search settings].
The developer forgot to chmod +x /Applications/SearchAppExtension.app for the current user. Doing that and running the executable directly would just work for him.
This is how the injected browser looks like:
Although the majority of users have upgraded to newer OS versions, we still see a decent amount of attack vectors in High Sierra.
It’s somewhere an easy win for malware developers because as Apple stopped pushing any security for this version, they don’t have to care anymore to circumvent new security restrictions.
As public awareness of malware in Mac arises, we see an effort from malware actors to hide their activity as much as possible like this post shows: hanging for sometime before taking action, and installing a Chrome profile with shell command behind the scenes.
Try Airo AV and Airo Web Protection