Bundlore
Bundlore, also known as Adware.MacOS.Bundlore, MacOS Bundlore, and Crossrider, is a Potentially Unwanted Application (PUA) designed to bundle third-party adware-like tools in a single installer and spread them over the Web. Originally targeting Windows-based systems, Bundlore now lands uninvited on Macs, as well. Recent research has also detected Bundlore as an app for Mac devices called Shoptimizely which is supposed to provide improved shopping experience for users. Yet, its main purpose is to collect user data and display fake deals and offers.
This Week In Malware Episode 32 Part 2: MacOS Bundlore Loader Malware Evades Detection by Hiding Payload in Named Fork
Table of Contents
Covering Tracks
MacOS Bundlore reportedly arrives as part of other software bundles, or through bogus software updates. In some occurrences, Bundlore may infect your system following a click on a web pop-up. Regardless of its distribution method, Bundlore is known to be quite covert in nature and Mac users rarely find out about it until the app has already got installed.
What to Expect?
You will know you’ve had a Bundlore infection when you see your default search engine has been changed to searchmine(dot)net for no apparent reason. Next, it will start pouring pop-ups, banners, and all sorts of ads down your web browser until you no longer separate the wheat from the chaff. Eventually, you may inadvertently click on a malware-laden ad, only to jump from the frying pan into the fire. In the end, a seemingly harmless PUP may bring you to far bigger malware threats on the Web. More often than not, however, you will just be bringing revenue to the shady advertisers who pay Bundlore’s developers to promote those pay-per-click ads. Finally, some of the risks associated with Bundlore might as well relate to data harvesting, including sensitive data and login credentials. Once collected, there’s no way of knowing which way those data will head for.
Bundlore Adware Uses an Innovative Technique to Avoid Detection
This year, researchers have observed a number of new developments on the market for malware threats attacking macOS. Bundlore Adware has recently come into the spotlight by doing the opposite – one of its new variants leverages a legacy MacOS technology to hide its malicious payload and avoid detection both by users and Mac malware scanning tools. One of the latest analyzed Bundlore samples is distributed by a site called “mysoftwarefree.” It comes bundled within the installation package of a fake copy of Windows Office 365. The site instructs users to remove any existing Office version from their device and to download the legit free trial from Microsoft. Users are then required to click on a button to download a “full version of Office 365 ProPlus” that has no limitations.
That results in installing a file called “dmg” on the user’s computer, which is simply a macOS disk image file. Inside that mounted disk image hides the Bundlore dropper. Thus, the threat actors have misused the resource forks MacOS file system technology for storing structured data, like image thumbnails, to hide Bundlore’s payload. It is a new trick, and many traditional scanning engines would not pick up the tactic. The analyzed Bundlore sample was not code-signed, so it was not subject to Apple’s Notarization check. Therefore, it remains open whether this innovative anti-detection technique can be used to avoid Notarization checks for future malware threats.
Imminent Removal
Data-collecting applications such as Bundlore pose substantial future risks for your privacy, which is why you should act immediately as soon as you’ve spotted it on your Mac. As we said earlier, however, Bundlore may prove more resilient than you’d expect due to its covert installation. You will often have trouble finding Bundlore on your Applications list, nor will you see it on your browser’s extensions list. Moreover, the adware may survive even if you reset your browser to its default settings. That is why, deploying a reputable anti-malware solution for a full system scan is the best shot at detecting and removing the MacOS Bundlore PUP for the time being.
