VindInstaller

VindInstaller is classified as adware and pay-per-install bundling. The goal is to deliver PUPs (Potentially Unwanted Programs) to the user's Mac system without attracting any attention. Various deceptive marketing techniques are employed to achieve this such as having the installation process of the PUP already pre-selected and hidden inside the installation of a popular freeware product. As a result, one or more unnoticed applications may be installed on the computer without the user even realizing it. Another common tactic is to pretend to deliver a new version or update for the Adobe Flash, player no matter what was the originally advertised functionality of the application downloaded by the user. Generally, PUP does not represent a direct threat to the system, but they do lead to a severely diminished user experience. Most PUPs are either adware or browser hijackers delivering unwanted and questionable advertising materials in a scheme to generate monetary gains for the application's developer.

VindInstaller is Still Evolving

VindInstaller is not a brand new malware created to plague macOS users. In fact, it has been around for nearly a decade with the earliest samples being detected back in 2013. During that period, however, VindInstaller has been evolving and incorporating new techniques to become more effective and less likely to be detected by security software. So far, three distinct variants have been established.

The first one is called VindInstaller.A and represents the most basic form of the malware. It is mostly a browser hijacker targeting Chrome, Firefox, and Safari, as well as a Genieo bundle installer. Being the earliest incarnation, VindInstaller.A doesn't contain any obfuscation routines or anti-analysis techniques.

The next variant, VindInstaller.B shows the expanded scope of cybercriminal's goals. It is equipped with data-gathering capabilities that collect details about the victim's OS version. To deliver the PUP products onto the affected computer, VindInstaller.B contacts a specific URL. While this variant also lacks obfuscation, its shell script delivery mechanism is designed to avoid detection by signature-based products and certain sandbox engines.

The latest observed variant is VindInstaller.Gen. It again employs an adaptation of the shell scripts first noticed inthe Shlayer malware and Bundlore to evade being caught by legacy anti-malware products and signature-based security software. VindInstaller.Gen, however, uses the NSAppleScript class allowing it to gain AppleScript functionality without having to go through the osascript utility. By using the extent of NSAppleScript implementation, two versions of VindInstaller.Gen can be recognized - 'mdm.macLauncher' and 'osxdl.Downloader.' Out of the two, 'osxdl.Downloader' leans more heavily on it through the use of the DandIThread class.