Bundlore

Bundlore is adware written for macOS that has been in use since at least 2015. Though categorized as adware, Bundlore has many features associated with more traditional backdoors.[1]

ID: S0482
Associated Software: OSX.Bundlore
Type: MALWARE
Platforms: macOS
Version: 1.0
Created: 01 July 2020
Last Modified: 06 July 2020

Associated Software Descriptions

Name Description
OSX.Bundlore [1]

Techniques Used

Domain ID Name Use
Enterprise T1098 .004 Account Manipulation: SSH Authorized Keys

Bundlore creates a new key pair with ssh-keygen and drops the newly created user key in authorized_keys to enable remote login.[1]

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Bundlore uses HTTP requests for C2.[1]

Enterprise T1176 Browser Extensions

Bundlore can install malicious browser extensions that are used to hijack user searches.[1]

Enterprise T1059 .004 Command and Scripting Interpreter: Unix Shell

Bundlore has leveraged /bin/sh and /bin/bash to execute commands on the victim machine.[1]

.007 Command and Scripting Interpreter: JavaScript/JScript

Bundlore can execute JavaScript by injecting it into the victim's browser.[1]

.002 Command and Scripting Interpreter: AppleScript

Bundlore can use AppleScript to inject malicious JavaScript into a browser.[1]

.006 Command and Scripting Interpreter: Python

Bundlore has used Python scripts to execute payloads.[1]

Enterprise T1543 .001 Create or Modify System Process: Launch Agent

Bundlore can persist via a LaunchAgent.[1]

.004 Create or Modify System Process: Launch Daemon

Bundlore can persist via a LaunchDaemon.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

Bundlore has used openssl to decrypt AES encrypted payload data. Bundlore has also used base64 and RC4 with a hardcoded key to deobfuscate data.[1]

Enterprise T1189 Drive-by Compromise

Bundlore has been spread through malicious advertisements on websites.[1]

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Bundlore can change macOS security settings and browser preferences to enable follow-on behaviors.[1]

Enterprise T1105 Ingress Tool Transfer

Bundlore can download and execute new versions of itself.[1]

Enterprise T1056 .002 Input Capture: GUI Input Capture

Bundlore prompts the user for their credentials.[1]

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Bundlore has disguised a malicious .app file as a Flash Player update.[1]

Enterprise T1027 Obfuscated Files or Information

Bundlore has obfuscated data with base64, AES, RC4, and bz2.[1]

Enterprise T1057 Process Discovery

Bundlore has used the ps command to list processes.[1]

Enterprise T1518 Software Discovery

Bundlore has the ability to enumerate what browser is being used as well as version information for Safari.[1]

Enterprise T1082 System Information Discovery

Bundlore will enumerate the macOS version to determine which follow-on behaviors to execute.[1]

Enterprise T1204 .002 User Execution: Malicious File

Bundlore has attempted to get users to execute a malicious .app file that looks like a Flash Player update.[1]

References