Device Management
Endpoint Detection & Response
Vulnerability Management
Kai
Liftoff
Prism
Migration Agent
Auto Apps
Passport
Compliance
Assignment Maps
Managed OS
Integrations
Mac
iPhone and iPad
Apple TV
Vision Pro
Financial Services
Technology
Artificial Intelligence
Marketing Agencies
Healthcare & Biotech
Startup
Growth
Enterprise
Resources Hub
Kandji Blog
Customer Stories
Mac Admins Community
Security Details
MDM Comparison Guide
Customer Support
Product Updates
Kandji Status
Customer Login
Register a Deal
Become a Partner
Partner Portal
About Kandji
News & Press
Careers
Contact
Why Kandji?
Threat Research Knowledge Base Threats Bundlore
Bundlore
Description
Bundlore is an extremely prevalent adware that targets macOS systems by bundling unwanted applications with legitimate software installers. It often masquerades as popular software updaters and installers, deceiving users into installing additional unwanted programs. Once installed, Bundlore injects advertisements into web browsers, redirects user searches, and collects sensitive browsing data. Bundlore is sometimes dropped by macOS malware Shlayer.
Variant Names
N/A
Alternative Names
- Crossrider
- Bnodlero
Country of origin
Unknown
Symptoms
You might observe the following artifacts associated with this threat:
- Unexpected advertisements appearing on websites where they previously did not occur.
- Browser homepage and search engine settings altered without user consent.
- Frequent browser redirects to unfamiliar or unwanted websites.
- Decreased system performance and increased resource usage.
- Installation of additional unwanted applications or browser extensions without user knowledge.
- Detections of another threat, Trojan: macOS/Shlayer, which is known to drop this threat.
Technical Breakdown
Bundlore is distributed through deceptive means such as:
- Fake Software Updates: Posing as legitimate software updates, prompting users to input their sensitive passwords.
- Bundled Installations: Packaged with legitimate software installers, deceiving users into inadvertently installing potentially unwanted programs (PUP).
Bundlore performs the following actions:
- Persistence Mechanism: Installs into login items so that it runs at each startup, ensuring persistence on the system.
- Browser Manipulation: Modifies browser settings to change the default search engine, and redirect user searches to generate ad revenue.
- Data Collection: May collect browsing data to share with third parties.
Bundlore has continually evolved over time, with variants employing ever-changing techniques to evade detection and removal. Some versions have been observed modifying the sudoers file to remove the password requirement for privilege escalation.
Next Steps
Kandji Endpoint Detection & Response (EDR) automatically removes detected threats when file monitoring is set to Protect.
While the malicious file is removed, it can leave behind artifacts that need to be cleaned manually.
In the future, avoid downloading and installing software from torrent sources or untrusted websites. Ensure that all applications are obtained from official and reputable sources to maintain system integrity and security.
Related
Atomic Stealer (AMOS) is a sophisticated piece of malware that targets Apple users by masquerading as legitimate applications. Once installed, AMOS can exfiltrate extensive data, including keychain passwords, user documents, system information, browser data, credit card information, and cryptocurrency wallets. There is a strong association between Atomic Stealer and Russian-speaking cybercriminal communities.
EvilQuest, also known as ThiefQuest, is a ransomware variant that targets macOS systems. EvilQuest also includes some information stealing and data exfiltration features. It is actively being enhanced with new features to avoid detection.
Shlayer is a Trojan downloader that primarily targets macOS systems, known for distributing various types of adware, including Bundlore. It is distributed through fake Flash Player updates and deceptive websites, tricking users into installing unwanted software. Once executed, Shlayer connects to command-and-control servers to download additional payloads.
Manage and secure your Apple devices at scale.
