The analyzed samples were manually downloaded from a specially crafted URL from the site Each extension download URL uses a unique GUID, and changing this GUID results in the download of a different sample by hash.Īfter the downloaded M圜ouponsmart extension is installed, it injects javascript code from chrome-extension://background.js into the browser which contains code to either pop up an advertisement or redirect the webpage. More details regarding this extension are covered in the Configuration Profiles section below. Interestingly, this page has a disclaimer included at the bottom informing the user that the installer may suggest installation of additional “free software offers” and that the Flash Player downloaded from the site is not affiliated with Adobe Flash.įigure 2 : Fake Flash Update Page Disclaimer The installed program demonstrates persistence on the system and the capability to silently download and install software as root at any time. The software downloaded has a multi-stage installer that, once given authentication from the user, gathers system information and ultimately installs multiple adware programs as root. This extension was pulled from an adware site and was not publicly uploaded at the time of analysis.Īfter the M圜ouponsmart extension is installed, javascript is injected into the browser that displays pop-up ads and redirects the user to a website requiring the user to download a fake Adobe Flash Player update. These samples were observed to be installed via a malicious chrome extension (crx file). Although most of the installation details were the same or similar to the samples analyzed in the blogs above, these new samples modified the sudoers file on the infected system to remove the password requirement for privilege escalation. The malware also utilizes a form of obfuscation not observed before in this family, hiding compressed data in a resource fork on a downloaded script file.
Recently, a variant with a novel installation method was discovered.
The mm-install->macos variant of the Bundlore family of macOS adware has been around for many years in many variations and delivery methods.
0 kommentar(er)
