MacOS malware Shlayer and Bundlore may have variations, but the behavior of their attacks have not changed – attacking older macOS versions and poorly-protected websites.
Adware strains Shlayer and Bundlore are the most common malware in macOS – although they have slight variations, they have long invaded and bypassed Xprotect, Notarization, Gatekeeper, and File Quarantine, all security features pre-built into macOS. The Uptycs threat research team has tracked these threats, along with 90% of macOS malware in routine analysis and customer telemetry alerts using shell scripts.
In this post, we break down the variations of malicious shell scripts in Shlayer and Bundlore, review the macOS utilities used by these malware strains, and show how Uptycs EDR detection can help.
Shlayer and Bundlore – malicious Shell scripts
The malicious shell scripts used by Shlayer and Bundlore are usually malvertising-focused adware bundlers using shell scripts in the kill chain to download and install an adware payload. The installers are usually macOS disk image files (DMG) that are distributed via compromised Google search results or downloaded from websites with poor reputation (like cracks, keygens).
Upon installation, the disk image mounts thereby initiating the bash shell script installation.