Attackers Hide macOS Bundlore in Named Fork

Saturday, November 7th, 2020 |

macOS Bundlore, also known as Crossrider, is a family of deceptive software installers that allow hackers to bundle adware-type applications (such as CinemaPlusPro, FlashMail, MyShopCoupon, etc.) together with legitimate apps. The adware-type apps typically offer legitimate and sometimes useful features, but after installation, these programs deliver intrusive advertisements and exfiltrate sensitive data. This malware can often be found in the wild being distributed on sites that offer “free” version of popular software. In one case observed by Sentinel Labs, they found the malware being distributed by a site called ‘mysofwarefree[.]com,’ bundled along with a ‘free’ copy of Office 265.

Users are instructed to remove any current installation of Office, to download the legitimate free trial from Microsoft and then to download the “required files” from a button on the malicious site in order to obtain “a full version of Office 365 ProPlus, without any limitations”. Once the download is initialized, a file called “dmg” is downloaded to the user’s device. Once mounted, the disk image does not contain the promised copy of MS Office, but instead contains a typical Bundlore/Shlayer dropper as well as graphical instructions to help the user bypass the built in macOS security checks offered by Gatekeeper and Notarization. On macOS Catalina, this bypass will not prevent XProtect from scanning the code on execution, but this particular code isn’t known to XProtect at the current time. After code execution, the malware developers hide parts of the malware inside a resource fork, which is a kind of named fork, a legacy filesystem used to store data such as image thumbnails, window data and even code. This way of hiding the malware can allow it to avoid being detected by many traditional file scanners. By hiding the encrypted and compressed file in the named resource fork, the actors are clearly hoping to evade certain kinds of scanning engines.

Sources:

Indicators of Compromise:

  • Hashes
    • Disk Image
      • SHA1: 06842f098ba7e695a21b6a1a9bd6aee6daeb8746
      • SHA256: 5673ace10a07905503486f5f4eeb8d45a4d56a2168b0274084750f68eb7a1362
    • Mach-O
      • SHA1: e978fbcb9002b7dace469f00da485a8885946371
      • SHA256: 43b9157a4ad42da1692cfb5b571598fcde775c7d1f9c7d56e6d6c13da5b35537
Share this:

Previous
View All
Next

Not Sure Where to Start?

What is Cybersecurity ?
How Do Cyber Attacks Happen ?
How Does Atlas Work ?
Who is Atlas ?