| enterprise |
T1098 |
Account Manipulation |
- |
| enterprise |
T1098.004 |
SSH Authorized Keys |
Bundlore creates a new key pair with ssh-keygen and drops the newly created user key in authorized_keys to enable remote login. |
| enterprise |
T1071 |
Application Layer Protocol |
- |
| enterprise |
T1071.001 |
Web Protocols |
Bundlore uses HTTP requests for C2. |
| enterprise |
T1176 |
Browser Extensions |
Bundlore can install malicious browser extensions that are used to hijack user searches. |
| enterprise |
T1059 |
Command and Scripting Interpreter |
- |
| enterprise |
T1059.002 |
AppleScript |
Bundlore can use AppleScript to inject malicious JavaScript into a browser. |
| enterprise |
T1059.004 |
Unix Shell |
Bundlore has leveraged /bin/sh and /bin/bash to execute commands on the victim machine. |
| enterprise |
T1059.006 |
Python |
Bundlore has used Python scripts to execute payloads. |
| enterprise |
T1059.007 |
JavaScript |
Bundlore can execute JavaScript by injecting it into the victim’s browser. |
| enterprise |
T1543 |
Create or Modify System Process |
- |
| enterprise |
T1543.001 |
Launch Agent |
Bundlore can persist via a LaunchAgent. |
| enterprise |
T1543.004 |
Launch Daemon |
Bundlore can persist via a LaunchDaemon. |
| enterprise |
T1140 |
Deobfuscate/Decode Files or Information |
Bundlore has used openssl to decrypt AES encrypted payload data. Bundlore has also used base64 and RC4 with a hardcoded key to deobfuscate data. |
| enterprise |
T1189 |
Drive-by Compromise |
Bundlore has been spread through malicious advertisements on websites. |
| enterprise |
T1048 |
Exfiltration Over Alternative Protocol |
Bundlore uses the curl -s -L -o command to exfiltrate archived data to a URL. |
| enterprise |
T1222 |
File and Directory Permissions Modification |
- |
| enterprise |
T1222.002 |
Linux and Mac File and Directory Permissions Modification |
Bundlore changes the permissions of a payload using the command chmod -R 755. |
| enterprise |
T1564 |
Hide Artifacts |
Bundlore uses the mktemp utility to make unique file and directory names for payloads, such as TMP_DIR=`mktemp -d -t x. |
| enterprise |
T1562 |
Impair Defenses |
- |
| enterprise |
T1562.001 |
Disable or Modify Tools |
Bundlore can change browser security settings to enable extensions to be installed. Bundlore uses the pkill cfprefsd command to prevent users from inspecting processes. |
| enterprise |
T1105 |
Ingress Tool Transfer |
Bundlore can download and execute new versions of itself. |
| enterprise |
T1056 |
Input Capture |
- |
| enterprise |
T1056.002 |
GUI Input Capture |
Bundlore prompts the user for their credentials. |
| enterprise |
T1036 |
Masquerading |
- |
| enterprise |
T1036.005 |
Match Legitimate Name or Location |
Bundlore has disguised a malicious .app file as a Flash Player update. |
| enterprise |
T1027 |
Obfuscated Files or Information |
Bundlore has obfuscated data with base64, AES, RC4, and bz2. |
| enterprise |
T1057 |
Process Discovery |
Bundlore has used the ps command to list processes. |
| enterprise |
T1518 |
Software Discovery |
Bundlore has the ability to enumerate what browser is being used as well as version information for Safari. |
| enterprise |
T1082 |
System Information Discovery |
Bundlore will enumerate the macOS version to determine which follow-on behaviors to execute using /usr/bin/sw_vers -productVersion. |
| enterprise |
T1204 |
User Execution |
- |
| enterprise |
T1204.002 |
Malicious File |
Bundlore has attempted to get users to execute a malicious .app file that looks like a Flash Player update. |