Skip to content

S0482 Bundlore

Bundlore is adware written for macOS that has been in use since at least 2015. Though categorized as adware, Bundlore has many features associated with more traditional backdoors.1

Item Value
ID S0482
Associated Names OSX.Bundlore
Version 1.1
Created 01 July 2020
Last Modified 10 February 2022
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
OSX.Bundlore 1

Techniques Used

Domain ID Name Use
enterprise T1098 Account Manipulation -
enterprise T1098.004 SSH Authorized Keys Bundlore creates a new key pair with ssh-keygen and drops the newly created user key in authorized_keys to enable remote login.1
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Bundlore uses HTTP requests for C2.1
enterprise T1176 Browser Extensions Bundlore can install malicious browser extensions that are used to hijack user searches.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.002 AppleScript Bundlore can use AppleScript to inject malicious JavaScript into a browser.1
enterprise T1059.004 Unix Shell Bundlore has leveraged /bin/sh and /bin/bash to execute commands on the victim machine.1
enterprise T1059.006 Python Bundlore has used Python scripts to execute payloads.1
enterprise T1059.007 JavaScript Bundlore can execute JavaScript by injecting it into the victim’s browser.1
enterprise T1543 Create or Modify System Process -
enterprise T1543.001 Launch Agent Bundlore can persist via a LaunchAgent.1
enterprise T1543.004 Launch Daemon Bundlore can persist via a LaunchDaemon.1
enterprise T1140 Deobfuscate/Decode Files or Information Bundlore has used openssl to decrypt AES encrypted payload data. Bundlore has also used base64 and RC4 with a hardcoded key to deobfuscate data.1
enterprise T1189 Drive-by Compromise Bundlore has been spread through malicious advertisements on websites.1
enterprise T1048 Exfiltration Over Alternative Protocol Bundlore uses the curl -s -L -o command to exfiltrate archived data to a URL.2
enterprise T1222 File and Directory Permissions Modification -
enterprise T1222.002 Linux and Mac File and Directory Permissions Modification Bundlore changes the permissions of a payload using the command chmod -R 755.2
enterprise T1564 Hide Artifacts Bundlore uses the mktemp utility to make unique file and directory names for payloads, such as TMP_DIR=`mktemp -d -t x.2
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools Bundlore can change browser security settings to enable extensions to be installed. Bundlore uses the pkill cfprefsd command to prevent users from inspecting processes.12
enterprise T1105 Ingress Tool Transfer Bundlore can download and execute new versions of itself.1
enterprise T1056 Input Capture -
enterprise T1056.002 GUI Input Capture Bundlore prompts the user for their credentials.1
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location Bundlore has disguised a malicious .app file as a Flash Player update.1
enterprise T1027 Obfuscated Files or Information Bundlore has obfuscated data with base64, AES, RC4, and bz2.1
enterprise T1057 Process Discovery Bundlore has used the ps command to list processes.1
enterprise T1518 Software Discovery Bundlore has the ability to enumerate what browser is being used as well as version information for Safari.1
enterprise T1082 System Information Discovery Bundlore will enumerate the macOS version to determine which follow-on behaviors to execute using /usr/bin/sw_vers -productVersion.12
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File Bundlore has attempted to get users to execute a malicious .app file that looks like a Flash Player update.1