Connect with us

Hi, what are you looking for?

HEADLINES

New Bundlore adware targets macOS with updated Safari extensions

This installer carried a total of seven “potentially unwanted applications” (PUAs), including three that targeted the Safari web browser for the injection of ads, hijacking of download links, and redirecting of search queries for the purpose of stealing users’ clicks to generate income.

Sophos, a global player in next-generation cybersecurity, analyzed a particularly aggressive sample of what Sophos refer to as “bundleware”, an unscrupulous software installer that drops multiple unwanted applications under the guise of installing one legitimate application, targeting macOS Catalina users.

This installer carried a total of seven “potentially unwanted applications” (PUAs), including three that targeted the Safari web browser for the injection of ads, hijacking of download links, and redirecting of search queries for the purpose of stealing users’ clicks to generate income. The injected content in at least one case was used for malvertising – popping up a malicious ad that prompted the download of a fake Adobe Flash update.

Sophos identified the installer as belonging to the Bundlore family, a common macOS bundleware installer family. Bundlore is one of the most common “bundleware” installers for the macOS platform, it accounts for nearly seven percent of all attacks against the macOS platform detected by Sophos, making it the second most common “badware” threat affecting macOS  (with Genieo ranking first). Bundlore is also a common threat to Windows, primarily carrying extensions for Google Chrome, and some of the code used to target Chrome is shared with the macOS – targeting versions of the adware.

The Bundlore sample analyzed contained multiple Safari extension payloads, including two in the new App Extension format. Extensions, by their nature, can process and modify the content of web pages viewed in Safari. These extensions, however, were “adware.” They contained code that injected new advertisements and links, including download links, and even redirected search queries from select search engine webpages. Code pulled from a remote server in support of two extensions also revealed some of the details of how these adware tools make money for their developers. 

Advertisement. Scroll to continue reading.

PUAs are among the most common privacy and security threats to macOS. Since they can potentially steal personal data and act as a pathway for malvertising and other malware, Sophos (and other endpoint protection products) block PUAs as a rule. Apple’s XProtect feature in macOS also blocks known Bundlore payloads, and Apple revokes the developer signatures associated with them as well, blocking them from execution on current macOS versions.

“Potentially unwanted applications like Bundlore adware are the most common security threat to MacOS users. Not only are adware developers updating their methods to adapt to recent changes in MacOS and Safari by Apple, but in some cases they’re also dropping multiple PUA payloads with a single installer. And these PUAs go beyond just injecting ads into websites, they’re redirecting where a user’s browser searches are sent for the purpose of stealing clicks for money and even changing links for software downloads. Users should exercise caution when downloading software from unknown sources and stay alert when an unfamiliar app tries to install Browser Extensions,” said Xinran Wu, Senior Threat Researcher at Sophos. 

Advertisement
Advertisement
Advertisement

Like Us On Facebook

You May Also Like

White Papers

When compared to 2023, Sophos saw a 51% increase in abusing “Living off the Land” binaries or LOLbins; since 2021, it’s increased by 83%.

HEADLINES

Someone illegally acquires or uses personal information such as bank account or credit card numbers of another person to obtain money, goods or services....

HEADLINES

To stay ahead of these challenges, organizations need to invest in AI-driven defenses, transition to quantum-safe encryption, and adopt a Zero Trust approach to...

HEADLINES

There was a 121% Year-on-Year (YoY) increase in identity fraud in 2024 across the region, with significant surges recorded in Singapore (207%), Thailand (206%)...

HEADLINES

As part of RCBC’s 2024 Cybersecurity literacy program, the webinar aims to help Filipinos level up their online banking safety by providing them with...

White Papers

The survey found that CXO’s feel less prepared than their global peers. Less than half or 48% in APAC said they felt completely prepared...

HEADLINES

On average, a single organization in the Philippines experiences 4,003 attacks per week, significantly higher than the APAC average of 2,870 attacks per week.

White Papers

Exploiting this vulnerability, cybercriminals craft deceptively authentic phishing emails that align with current trends, exploiting human emotions to invoke urgency and trick recipients into...

Advertisement