Threat Analysis Unit

TAU Threat Analysis: Bundlore (macOS) mm-install-macos

The mm-install->macos variant of the Bundlore family of macOS adware has been around for many years in many variations and delivery methods. Recently, a variant with a novel installation method was discovered. Although most of the installation details were the same or similar to the samples analyzed in the blogs above, these new samples modified the sudoers file on the infected system to remove the password requirement for privilege escalation. The malware also utilizes a form of obfuscation not observed before in this family, hiding compressed data in a resource fork on a downloaded script file.

These samples were observed to be installed via a malicious chrome extension (crx file). This extension was pulled from an adware site http://download[.]mycouponsmartmac[.]com and was not publicly uploaded at the time of analysis.

After the MyCouponsmart extension is installed, javascript is injected into the browser that displays pop-up ads and redirects the user to a website requiring the user to download a fake Adobe Flash Player update. The software downloaded has a multi-stage installer that, once given authentication from the user, gathers system information and ultimately installs multiple adware programs as root. The installed program demonstrates persistence on the system and the capability to silently download and install software as root at any time.

Figure 1: Fake Flash Update Page

Interestingly, this page has a disclaimer included at the bottom informing the user that the installer may suggest installation of additional “free software offers” and that the Flash Player downloaded from the site is not affiliated with Adobe Flash.

Figure 2: Fake Flash Update Page Disclaimer

Details
The analyzed samples were manually downloaded from a specially crafted URL from the site http://download[.]mycouponsmartmac[.]com. Each extension download URL uses a unique GUID, and changing this GUID results in the download of a different sample by hash.

Figure 3: Chrome Extension

After the downloaded MyCouponsmart extension is installed, it injects javascript code from chrome-extension://background.js into the browser which contains code to either pop up an advertisement or redirect the webpage. More details regarding this extension are covered in the Configuration Profiles section below.

Figure 4: Extension JavaScript

When the URL in the script above is visited, the user is redirected to another site (in this case, http://cshus[.]albertbucket[.]icu/) which at the time was offering a download for a fake Adobe Flash Update, which downloaded the file AdobeFlashPlayer.zip (SHA256: 98bbcced1edf5ee4d781664b8fe722262aefd1cc4e7aa22a271aa9720de56c15).

Immediately after the Flash zip file is downloaded, the browser is redirected to a site offering the download of another Chrome extension named “Search Manager”

Figure 5: Search Manager Extension

This zip file contained the disk image AdobeFlashPlayer.dmg (SHA256: f425e6b6ac74b2b3b2c8b20b56641dfa8bcdd325b3bcabe023970855cc7f129e) which was automatically mounted. The mounted DMG does not contain an installer; instead it displays an image containing an alias to a script in the mounted volume:

Figure 6: Flash Installer Script Shortcut

The script extracts compressed data containing a macOS .app in a hidden resource known as a resource fork. Resource forks were introduced in the early days of the Macintosh File System (MFS) and are deprecated but are still available, even in macOS Catalina. Resource forks were originally designed to allow an executable to store multiple resources within the file, yet remain separated from the executable data. Much like Alternative Data Streams (ADS) on Windows, the data is hidden from regular file and directory viewers, and multiple “streams” or “forks” are allowed on an individual file.

On macOS, these forks are implemented as an extended attribute (xattr) and can be enumerated or visualized using system tools such as ls and xattr. When ls is run with the l flag on a file that contains extended attributes, an “@” character will appear at the end of the file type and permissions listing:

Figure 7: Listing Attributes with ls

This indicates that the Install.command file has extended attributes, but does not tell us what kind of attributes they are. If we run ls –l@ however, we can see the listed attributes and their sizes, including the ResourceFork:

Figure 8: Listing Extended Attributes with ls -l@

We can also use the tool xattr -p to view the contents of the ResourceFork, which in this case is output in hexadecimal (I have used the system command tail below in order to truncate the results – this shows only the end of the resource contents):

Figure 9: Printing Extended Attributes with xattr

The script from the analyzed sample is shown below. This script creates a temporary directory into which it will copy and execute the mm-install-macos app. The command in the second line of the script takes the last 254kb of the resource fork on the Install.command file, unzips the contents, then further decompresses the data, copying it to the previously created temporary directory. The decompressed data is a macOS .app, which the script then executes in the background.

Figure 10: Initial Install.Command script

Immediately after installation of the application extracted by the script, the user’s browser is redirected to another site that claims the Startup Disk is almost full, offering software to “clean” the system:

Figure 11: Search Manager Extension

Ironically, some of the URL redirects resulting from the browser injection ultimately route through the site mackeeperaffiliates[.]com to the actual MacKeeper download page, the company who wrote up a blog post on this adware last year.

Figure 12MacKeeper Affiliates Page

The process tree for the installation of this initial script from VMware Carbon Black Cloud Enterprise EDR showing the myriad system noise created by this activity is shown below.

Figure 13: Process Flow Diagram from Cloud Enterprise EDR

Once the mm-install-macos application is installed and granted root privileges, it is able to subsequently download and install additional software without re-authentication or Gatekeeper notifications.  A few of the applications observed to be installed by this variant are as follows:

  • MyShopcoupon
  • mediaDownloader
  • UpToDateMac
  • EscrowSecurityAlert
  • Advanced Mac Tuneup
  • PingTrusteer
  • macOSOTA
  • Periodikal

PingTrusteer – sudo manipulation 

Figure 14PingTrusteer Update Process Tree (partial)

PingTrusteer is one of the applications installed by the analyzed Bundlore variant above. This program checks for updates daily using a script pulled from http://request[.]pingtrusteer[.]com/macCheckForUpdates. The malware gains the ability to install programs with root privileges (without requiring a password) by adding the following line to /etc/sudoers file:

<user> ALL=NOPASSWD: /Users/<user>/Applications/PingTrusteer/PingTrusteer

Similar to previous variants, the script as pulled from http://request[.]pingtrusteer[.]com on 2 Jun 2020 exhibited the following functionality:

  • Checks the user account to see if it is either root or has sudo (root) privileges
  • Checks the domain request[.]pingtrusteer[.]com for any updates to the software
  • Creates MD5 hash of the system’s serial number to use as a unique ID
  • Pulls the versions of the OS and installed web browsers
  • Downloads additional components to the temporary directory mmtmp=”/private/tmp/.mmupdatescripts_$(date +%Y%m%d%H%M%S)”  (outlined in the table below)
  • Modifies the sudoers file to grant passwordless execution for the specified programs (PingTrusteer in this case, as seen above) 
  • Compiles lists of all installed applications, profiles, LaunchAgents, and LaunchDaemons
  • Checks version of the macOS Malware Removal Tool (MRT)
  • Posts system-specific json data to the server mmp[.]myshopcouponmac[.]com

This script runs daily to check for updates, and will download and install additional software if offered by the update server, as discussed below.

File Name  Application  Description 
pwr.zip mm-install-macos.app Main Bundlore app
wt.zip webtools.app Webtools Application
imsearch.tar.gz SearchMine Browser search tool
profile.mobileconfig SearchMine Configuration Profile
install-nwt.bin iwt.bin Webtools Installer

 

Configuration Profiles
Highlighted in the table above, one of the methods of persistence and infection used by this variant is the creation of a custom configuration profile. Configuration profiles are typically used in enterprise, educational, or other distributed environments requiring centralized management and deployment of customized system configurations. In the case of this variant of Bundlore, the SearchMine component installed by mm-install-macos uses the configuration profile to lock several browser settings such as the default search page.

Because it installs these profiles from the command line with root privileges, the user is never notified. However, Apple announced this week at WWDC that they will be revoking the ability to silently install configuration profiles from the command line without user input, which will disable this ability of the malware.

This post from MalwareBytes details a related malware sample called Crossrider that installs a similar profile, as well as how to list and remove any malicious profiles installed.  In both this Bundlore and the Crossrider samples, the configuration profile was named AdminPrefs. However, the malicious actors could easily change this name at any time by pushing a new installation script during the daily update check.

For example, the script originally downloads an “AdminPrefs” configuration profile template (also seen in the post referenced above) which it dynamically populates with system-specific information on the victim machine.

This script is configured to install different products depending on what is retrieved from the server. This allows the malware authors to dynamically change the malware installed on the system, which is all installed with root permissions due to the configuration during initial setup.  

Below is a sample of the analyzed script which shows the download and population of the profile template. In red, the base URL parameters are shown, along with the search domain that the browser will be configured to use. In blue, the script replaces the fields in the profile template with the custom parameters, and then installs the custom profile as seen in green.

Figure 15: Update Script Template Creation

Once a profile is successfully installed, there will be a new icon in the System Preferences dialog as seen below:

Figure 16: Profiles Option Added To Preferences

The profiles installed depend on the browsers installed on the system, and which browser is set to default. On the analyzed system configured with Chrome as the default browser, the malware installed a profile that sets the home page, search provider, and new tab default page. As mentioned before and described in more detail below, it also installs the MyCouponsmart extension via means that render the user unable to remove it.

This profile configuration information is stored in plists on the system after loading. These per-user profile plists are located under a user directory under /Library/ManagedPreferences/<user>/ and define browser defaults such as the default search and home page. As mentioned, this script additionally installed a Chrome extension that is unable to be removed by the user, even with administrative privileges. This is accomplished by using the Chrome ExtensionInstallForceList key which is provided for managed enterprise computers. According to Chrome documentation:

[ExtensionInstallForceList] Specifies a list of apps and extensions that are installed silently, without user interaction, and which cannot be uninstalled nor disabled by the user. All permissions requested by the apps/extensions are granted implicitly, without user interaction, including any additional permissions requested by future versions of the app/extension.

This can be seen in the script below as highlighted in red, where the extension ID is lfbenaabfliihodeianphjhhhcjgddlh and points to the URL http://download[.]shoptimizelymac[.]com for updates:

Figure 17: Chrome ExtensionInstallForceList

The installed MyCouponsmart extension can be seen in the Chrome extension management page:

Figure 18: Chrome Management

Installed policy information seen in the plist above can also be viewed in the Chrome policy page:

Figure 19: Chrome Policy

Interestingly, this installer sets the dock to “hidden” mode during install and all of the desktop items disappear while it is running as seen in the screenshot below. When this installer script was run again a week after the initial infection, two additional components were installed – macOSOTA and Periodikal, which appear to be additional Bundlore samples (not covered here, but may be analyzed for a future blog post).

Figure 20: Installation Desktop View

Furthermore, unlike other adware families like Smokyashan, these additional components are not installed in the usual Applications folder, but instead are installed into the user’s Application directory located in /Users/<user>/Applications. This folder is not readily visible to the user unless they navigate directly to the directory in Finder.

Figure 21: User Applications Directory

Although this variant of Bundlore is not significantly different than others seen over the last year, the additional features of manipulating the sudoers file and installation of Configuration Profiles are less commonly seen. The main takeaway however is that adware is often dismissed, but samples like the Bundlore variant analyzed in this post are able to install anything as root without any notification to the user after initial authentication. Although the only programs observed to be installed by Bundlore thus far have been adware, with root access and no additional authentication required from the user, any software could be installed with full access to the file system.

Existing customers can learn more about how VMware Carbon Black products protect against this variant of Bundlore by visiting our “Bundlore (macOS) mm-install-macos” TAU-TIN hosted on the User Exchange.

References

New macOS Bundlore Loader Analysis” – Confiant

macOS Bundlore: Mac Virus Bypassing macOS Security Features” – MacKeeper

New Crossrider variant installs configuration profiles on Macs” – MalwareBytes

Indicators of Compromise

Indicator  Type  Context 
5bbdf331b270973e9987e0163a319ef8c12bb3421e69018629cdd85bee77ff3d SHA256 Sample .crx
98bbcced1edf5ee4d781664b8fe722262aefd1cc4e7aa22a271aa9720de56c15 SHA256 Sample Flash zip file
f425e6b6ac74b2b3b2c8b20b56641dfa8bcdd325b3bcabe023970855cc7f129e SHA256 Sample Flash DMG
2ffe27f6e3ad0af3b90cf8010d32346b MD5 Sample Flash DMG
d44e579ca410fbe04a15e7f10c7c4fffbc758ebb589e8bfd93e7a455ef631490 SHA256 Sample mach-o binary
59fed4536a17b5dc39f2d81c04dfbcf1 MD5 Sample mach-o binary
http://download[.]mycouponsmartmac[.]com domain URL hosting .crx
http://software[.]macsoftwareserver05[.]com domain URL hosting mediaDownloader
http://request[.]pingtrusteer[.]com domain PingTrusteer update server
http://events[.]blitzbarbara[.]win domain Webtools installation server
http://service[.]macinstallerinfo[.]com/ domain Webtools installation server
http://dl[.]searchmine[.]net/ domain Searchmine update server


MITRE ATT&CK Techniques and Tactics

ID Techniques Tactics
T1083 Discovery File and Directory Discovery
T1064 Defense Evasion, Execution Scripting
T1204 Execution User Execution
T1176 Persistence Browser Extensions
T1514 Privilege Escalation Elevated Execution with Prompt
T1222 Defense Evasion File and Directory Permissions Modification
T1158 Defense Evasion Hidden Files and Directories
T1027 Defense Evasion Obfuscated Files or Information
T1005 Collection Data from Local System
T1105 Command and Control Remote File Copy