New Bundlore Adware targeting macOS with updated safari extensions

The notion that macOS is immune to malware is fading as per a report released by SophosLab titled, “New Bundlore Adware Targets MacOS with Updated Safari Extensions.”. The report has identified a bundleware installer targeting the macOS belonging to the Bundlore family. Bundlore accounts for nearly seven percent of all attacks against the macOS platform. It also targets Windows, carrying extensions for Google Chrome.

A browser add-on is a specialty software that adds functionality to a browser and usually created by a third party. They need to be added to the toolbar and provide functionality like animation, graphics, among others. Since they are from a third party it becomes a cause for concern. Usually from legitimate software companies, sometimes these add-ons may be used by malicious software developers as a gateway to turn downloads of free software into a revenue stream. It also gathers information from the user, injects advertisements into websites, and even redirect search links. They are also frequently used to lure people thus, allowing them to drop their unwanted payloads

The macOS samples analyzed were surprisingly up to date, to keep up with the recent changes in the format of macOS and Safari browser’s extensions.

The analyzed sample was of a software installer that dropped multiple “potentially unwanted applications” (PUAs) under the guise of installing a single legitimate application, that targeted macOS Catalina users. This installer carried seven PUAs that injected ads into the browser, hijacked download links, and also redirected search queries to steal users’ clicks to generate income. The injected content, in at least one case, was used for malvertising.

Xinran Wu, senior threat researcher at Sophos, explains “Potentially unwanted applications like Bundlore adware are the most common security threat to MacOS users. Not only are adware developers updating their methods to adapt to recent changes in MacOS and Safari by Apple, but in some cases, they’re also dropping multiple PUA payloads with a single installer. And these PUAs go beyond just injecting ads into websites, they’re redirecting where a user’s browser searches are sent for the purpose of stealing clicks for money and even changing links for software downloads.”

To elaborate, SophosLabs has analyzed The MyCouponSmart app extension, which had an obfuscated JavaScript. When de-obfuscated, it was found to obtain the characteristics of the web page that the user is browsing and the user falls prey to cross-site scripting (XSS) attack and since this change happens from within the browser, the user gets no security alerts.

This extension was also found to inject ads, hijack search queries and also replaced any download links in the website that the users visited with a fake flash downloader.

Apple’s XProtect feature was introduced in macOS to block such known Bundlore payloads. Apple also revokes the developer signatures associated with them and also blocks them from execution on current macOS versions.

“Users should exercise caution when downloading software from unknown sources and stay alert when an unfamiliar app tries to install Browser Extensions.”, concludes Xinran Wu.