New Bundlore adware targets macOS with updated Safari extensions


Level 72
Content Creator
Malware Hunter
Aug 17, 2014
We recently analyzed a particularly aggressive sample of what we refer to as “bundleware”—an unscrupulous software installer that drops multiple unwanted applications under the guise of installing one legitimate application—targeting macOS Catalina users. This installer carried a total of seven “potentially unwanted applications” (PUAs)—including three that targeted the Safari web browser for the injection of ads, hijacking of download links, and redirecting of search queries for the purpose of stealing users’ clicks to generate income. The injected content in at least one case was used for malvertising—popping up a malicious ad that prompted the download of a fake Adobe Flash update.

We’ve identified the installer as belonging to the Bundlore family, a common macOS bundleware installer family. Bundlore is one of the most common “bundleware” installers for the macOS platform—it accounts for nearly seven percent of all attacks against the macOS platform detected by Sophos, making it the second most common “badware” threat affecting macOS (with Genieo ranking first). Bundlore is also a common threat to Windows, primarily carrying extensions for Google Chrome—and some of the code used to target Chrome is shared with the macOS-targeting versions of the adware.

What makes the recent macOS samples we found stand out from previous Bundlore versions is the way that they have been updated to keep up with the recent changes in macOS and Safari—in particular, Apple’s changes in the format for Safari browser extensions.

The Bundlore sample analyzed contained multiple Safari extension payloads, including two in the new App Extension format. Extensions, by their nature, can process and modify the content of web pages viewed in Safari. These extensions, however, were “adware”—they contained code that injected new advertisements and links—including download links— and even redirected search queries from select search engine webpages. And code pulled from a remote server in support of two extensions also revealed some of the details of how these adware tools make money for their developers—listing dozens of search affiliate names related to the ad injector and search modification payload, and affiliate codes used to profit from visits to other sites. [....]