{
	"id": "d6f1d7c6-7c2e-4ecf-af10-53009a3d9048",
	"created_at": "2026-04-06T00:08:42.444683Z",
	"updated_at": "2026-04-10T03:20:30.443799Z",
	"deleted_at": null,
	"sha1_hash": "b3c19ca8a4b34e0008f1492938dcf6ffbcbd2e10",
	"title": "TAU Threat Analysis: Bundlore (macOS) mm-install-macos",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 8650138,
	"plain_text": "TAU Threat Analysis: Bundlore (macOS) mm-install-macos\r\nBy Erika Noerenberg\r\nPublished: 2020-06-29 · Archived: 2026-04-05 16:16:24 UTC\r\nThe mm-install-\u003emacos variant of the Bundlore family of macOS adware has been around for many years in many\r\nvariations and delivery methods. Recently, a variant with a novel installation method was discovered. Although most of\r\nthe installation details were the same or similar to the samples analyzed in the blogs above, these new samples modified\r\nthe sudoers file on the infected system to remove the password requirement for privilege escalation. The malware also\r\nutilizes a form of obfuscation not observed before in this family, hiding compressed data in a resource fork on a\r\ndownloaded script file.\r\nThese samples were observed to be installed via a malicious chrome extension (crx file). This extension was pulled\r\nfrom an adware site http://download[.]mycouponsmartmac[.]com and was not publicly uploaded at the time of analysis.\r\nAfter the MyCouponsmart extension is installed, javascript is injected into the browser that displays pop-up ads and\r\nredirects the user to a website requiring the user to download a fake Adobe Flash Player update. The software\r\ndownloaded has a multi-stage installer that, once given authentication from the user, gathers system information and\r\nultimately installs multiple adware programs as root. The installed program demonstrates persistence on the system and\r\nthe capability to silently download and install software as root at any time.\r\nFigure 1: Fake Flash Update Page\r\nInterestingly, this page has a disclaimer included at the bottom informing the user that the installer may suggest\r\ninstallation of additional “free software offers” and that the Flash Player downloaded from the site is not affiliated\r\nwith Adobe Flash.\r\nFigure 2: Fake Flash Update Page Disclaimer\r\nhttps://blogs.vmware.com/security/2020/06/tau-threat-analysis-bundlore-macos-mm-install-macos.html\r\nPage 1 of 16\n\nDetails\r\nThe analyzed samples were manually downloaded from a specially crafted URL from the site\r\nhttp://download[.]mycouponsmartmac[.]com. Each extension download URL uses a unique GUID, and changing this\r\nGUID results in the download of a different sample by hash.\r\nFigure 3: Chrome Extension\r\nAfter the downloaded MyCouponsmart extension is installed, it injects javascript code from chrome-extension://background.js into the browser which contains code to either pop up an advertisement or redirect the\r\nwebpage. More details regarding this extension are covered in the Configuration Profiles section below.\r\nhttps://blogs.vmware.com/security/2020/06/tau-threat-analysis-bundlore-macos-mm-install-macos.html\r\nPage 2 of 16\n\nFigure 4: Extension JavaScript\r\nWhen the URL in the script above is visited, the user is redirected to another site (in this case,\r\nhttp://cshus[.]albertbucket[.]icu/) which at the time was offering a download for a fake Adobe Flash Update, which\r\ndownloaded the file AdobeFlashPlayer.zip (SHA256:\r\n98bbcced1edf5ee4d781664b8fe722262aefd1cc4e7aa22a271aa9720de56c15).\r\nImmediately after the Flash zip file is downloaded, the browser is redirected to a site offering the download of another\r\nChrome extension named “Search Manager”\r\nhttps://blogs.vmware.com/security/2020/06/tau-threat-analysis-bundlore-macos-mm-install-macos.html\r\nPage 3 of 16\n\nFigure 5: Search Manager Extension\r\nThis zip file contained the disk image AdobeFlashPlayer.dmg (SHA256:\r\nf425e6b6ac74b2b3b2c8b20b56641dfa8bcdd325b3bcabe023970855cc7f129e) which was automatically mounted. The\r\nmounted DMG does not contain an installer; instead it displays an image containing an alias to a script in the mounted\r\nvolume:\r\nhttps://blogs.vmware.com/security/2020/06/tau-threat-analysis-bundlore-macos-mm-install-macos.html\r\nPage 4 of 16\n\nFigure 6: Flash Installer Script Shortcut\r\nThe script extracts compressed data containing a macOS .app in a hidden resource known as a resource fork. Resource\r\nforks were introduced in the early days of the Macintosh File System (MFS) and are deprecated but are still\r\navailable, even in macOS Catalina. Resource forks were originally designed to allow an executable to store multiple\r\nresources within the file, yet remain separated from the executable data. Much like Alternative Data Streams (ADS) on\r\nWindows, the data is hidden from regular file and directory viewers, and multiple “streams” or “forks” are allowed on\r\nan individual file.\r\nOn macOS, these forks are implemented as an extended attribute (xattr) and can be enumerated or visualized using\r\nsystem tools such as ls and xattr. When ls is run with the –l flag on a file that contains extended attributes, an “@”\r\ncharacter will appear at the end of the file type and permissions listing:\r\nhttps://blogs.vmware.com/security/2020/06/tau-threat-analysis-bundlore-macos-mm-install-macos.html\r\nPage 5 of 16\n\nFigure 7: Listing Attributes with ls\r\nThis indicates that the Install.command file has extended attributes, but does not tell us what kind of attributes they\r\nare. If we run ls –l@ however, we can see the listed attributes and their sizes, including the ResourceFork:\r\nFigure 8: Listing Extended Attributes with ls -l@\r\nWe can also use the tool xattr -p to view the contents of the ResourceFork, which in this case is output in hexadecimal\r\n(I have used the system command tail below in order to truncate the results – this shows only the end of the resource\r\ncontents):\r\nFigure 9: Printing Extended Attributes with xattr\r\nThe script from the analyzed sample is shown below. This script creates a temporary directory into which it will copy\r\nand execute the mm-install-macos app. The command in the second line of the script takes the last 254kb of the\r\nresource fork on the Install.command file, unzips the contents, then further decompresses the data, copying it to the\r\npreviously created temporary directory. The decompressed data is a macOS .app, which the script then executes in the\r\nbackground.\r\nhttps://blogs.vmware.com/security/2020/06/tau-threat-analysis-bundlore-macos-mm-install-macos.html\r\nPage 6 of 16\n\nFigure 10: Initial Install.Command script\r\nImmediately after installation of the application extracted by the script, the user’s browser is redirected to another site\r\nthat claims the Startup Disk is almost full, offering software to “clean” the system:\r\nFigure 11: Search Manager Extension\r\nIronically, some of the URL redirects resulting from the browser injection ultimately route through the\r\nsite mackeeperaffiliates[.]com to the actual MacKeeper download page, the company who wrote up a blog post on this\r\nadware last year.\r\nhttps://blogs.vmware.com/security/2020/06/tau-threat-analysis-bundlore-macos-mm-install-macos.html\r\nPage 7 of 16\n\nFigure 12: MacKeeper Affiliates Page\r\nThe process tree for the installation of this initial script from VMware Carbon Black Cloud Enterprise EDR showing\r\nthe myriad system noise created by this activity is shown below.\r\nFigure 13: Process Flow Diagram from Cloud Enterprise EDR\r\nOnce the mm-install-macos application is installed and granted root privileges, it is able to subsequently download and\r\ninstall additional software without re-authentication or Gatekeeper notifications.  A few of the applications observed to\r\nbe installed by this variant are as follows:\r\nMyShopcoupon\r\nhttps://blogs.vmware.com/security/2020/06/tau-threat-analysis-bundlore-macos-mm-install-macos.html\r\nPage 8 of 16\n\nmediaDownloader\r\nUpToDateMac\r\nEscrowSecurityAlert\r\nAdvanced Mac Tuneup\r\nPingTrusteer\r\nmacOSOTA\r\nPeriodikal\r\nPingTrusteer – sudo manipulation \r\nFigure 14: PingTrusteer Update Process Tree (partial)\r\nPingTrusteer is one of the applications installed by the analyzed Bundlore variant above. This program checks for\r\nupdates daily using a script pulled from http://request[.]pingtrusteer[.]com/macCheckForUpdates. The malware gains\r\nthe ability to install programs with root privileges (without requiring a password) by adding the following line to\r\n/etc/sudoers file:\r\n\u003cuser\u003e ALL=NOPASSWD: /Users/\u003cuser\u003e/Applications/PingTrusteer/PingTrusteer\r\nSimilar to previous variants, the script as pulled from http://request[.]pingtrusteer[.]com on 2 Jun 2020 exhibited the\r\nfollowing functionality:\r\nChecks the user account to see if it is either root or has sudo (root) privileges\r\nChecks the domain request[.]pingtrusteer[.]com for any updates to the software\r\nCreates MD5 hash of the system’s serial number to use as a unique ID\r\nPulls the versions of the OS and installed web browsers\r\nDownloads additional components to the temporary directory mmtmp=”/private/tmp/.mmupdatescripts_$(date\r\n+%Y%m%d%H%M%S)”  (outlined in the table below)\r\nModifies the sudoers file to grant passwordless execution for the specified programs (PingTrusteer in this case,\r\nas seen above) \r\nCompiles lists of all installed applications, profiles, LaunchAgents, and LaunchDaemons\r\nChecks version of the macOS Malware Removal Tool (MRT)\r\nPosts system-specific json data to the server mmp[.]myshopcouponmac[.]com\r\nThis script runs daily to check for updates, and will download and install additional software if offered by the update\r\nserver, as discussed below.\r\nFile Name  Application  Description \r\nhttps://blogs.vmware.com/security/2020/06/tau-threat-analysis-bundlore-macos-mm-install-macos.html\r\nPage 9 of 16\n\npwr.zip mm-install-macos.app Main Bundlore app\r\nwt.zip webtools.app Webtools Application\r\nimsearch.tar.gz SearchMine Browser search tool\r\nprofile.mobileconfig SearchMine Configuration Profile\r\ninstall-nwt.bin iwt.bin Webtools Installer\r\nConfiguration Profiles\r\nHighlighted in the table above, one of the methods of persistence and infection used by this variant is the creation of a\r\ncustom configuration profile. Configuration profiles are typically used in enterprise, educational, or\r\nother distributed environments requiring centralized management and deployment of customized system\r\nconfigurations. In the case of this variant of Bundlore, the SearchMine component installed by mm-install-macos uses the configuration profile to lock several browser settings such as the default search page.\r\nBecause it installs these profiles from the command line with root privileges, the user is never\r\nnotified. However, Apple announced this week at WWDC that they will be revoking the ability to silently install\r\nconfiguration profiles from the command line without user input, which will disable this ability of the malware.\r\nThis post from MalwareBytes details a related malware sample called Crossrider that installs a similar profile, as well\r\nas how to list and remove any malicious profiles installed.  In both this Bundlore and the Crossrider samples, the\r\nconfiguration profile was named AdminPrefs. However, the malicious actors could easily change this name at any\r\ntime by pushing a new installation script during the daily update check.\r\nFor example, the script originally downloads an “AdminPrefs” configuration profile template (also seen in the post\r\nreferenced above) which it dynamically populates with system-specific information on the victim machine.\r\nThis script is configured to install different products depending on what is retrieved from the server. This allows the\r\nmalware authors to dynamically change the malware installed on the system, which is all installed with root\r\npermissions due to the configuration during initial setup.  \r\nBelow is a sample of the analyzed script which shows the download and population of the profile template. In red, the\r\nbase URL parameters are shown, along with the search domain that the browser will be configured to use. In blue, the\r\nscript replaces the fields in the profile template with the custom parameters, and then installs the custom profile as seen\r\nin green.\r\nhttps://blogs.vmware.com/security/2020/06/tau-threat-analysis-bundlore-macos-mm-install-macos.html\r\nPage 10 of 16\n\nFigure 15: Update Script Template Creation\r\nOnce a profile is successfully installed, there will be a new icon in the System Preferences dialog as seen below:\r\nFigure 16: Profiles Option Added To Preferences\r\nThe profiles installed depend on the browsers installed on the system, and which browser is set to default. On the\r\nanalyzed system configured with Chrome as the default browser, the malware installed a profile that sets the home\r\npage, search provider, and new tab default page. As mentioned before and described in more detail below, it also\r\ninstalls the MyCouponsmart extension via means that render the user unable to remove it.\r\nhttps://blogs.vmware.com/security/2020/06/tau-threat-analysis-bundlore-macos-mm-install-macos.html\r\nPage 11 of 16\n\nThis profile configuration information is stored in plists on the system after loading. These per-user\r\nprofile plists are located under a user directory under /Library/ManagedPreferences/\u003cuser\u003e/ and define browser\r\ndefaults such as the default search and home page. As mentioned, this script additionally installed a Chrome extension\r\nthat is unable to be removed by the user, even with administrative privileges. This is accomplished by using the\r\nChrome ExtensionInstallForceList key which is provided for managed enterprise computers. According to Chrome\r\ndocumentation:\r\n[ExtensionInstallForceList] Specifies a list of apps and extensions that are installed silently, without user interaction,\r\nand which cannot be uninstalled nor disabled by the user. All permissions requested by the apps/extensions are granted\r\nimplicitly, without user interaction, including any additional permissions requested by future versions of the\r\napp/extension.\r\nThis can be seen in the script below as highlighted in red, where the extension ID\r\nis lfbenaabfliihodeianphjhhhcjgddlh and points to the URL http://download[.]shoptimizelymac[.]com for updates:\r\nFigure 17: Chrome ExtensionInstallForceList\r\nhttps://blogs.vmware.com/security/2020/06/tau-threat-analysis-bundlore-macos-mm-install-macos.html\r\nPage 12 of 16\n\nThe installed MyCouponsmart extension can be seen in the Chrome extension management page:\r\nFigure 18: Chrome Management\r\nInstalled policy information seen in the plist above can also be viewed in the Chrome policy page:\r\nFigure 19: Chrome Policy\r\nInterestingly, this installer sets the dock to “hidden” mode during install and all of the desktop items\r\ndisappear while it is running as seen in the screenshot below. When this installer script was run again a week after the\r\ninitial infection, two additional components were installed – macOSOTA and Periodikal, which appear to be\r\nadditional Bundlore samples (not covered here, but may be analyzed for a future blog post).\r\nhttps://blogs.vmware.com/security/2020/06/tau-threat-analysis-bundlore-macos-mm-install-macos.html\r\nPage 13 of 16\n\nFigure 20: Installation Desktop View\r\nFurthermore, unlike other adware families like Smokyashan, these additional components are not installed in\r\nthe usual Applications folder, but instead are installed into the user’s Application\r\ndirectory located in /Users/\u003cuser\u003e/Applications. This folder is not readily visible to the user unless they\r\nnavigate directly to the directory in Finder.\r\nFigure 21: User Applications Directory\r\nAlthough this variant of Bundlore is not significantly different than others seen over the last year, the additional features\r\nof manipulating the sudoers file and installation of Configuration Profiles are less commonly seen. The main takeaway\r\nhowever is that adware is often dismissed, but samples like the Bundlore variant analyzed in this post are able to install\r\nhttps://blogs.vmware.com/security/2020/06/tau-threat-analysis-bundlore-macos-mm-install-macos.html\r\nPage 14 of 16\n\nanything as root without any notification to the user after initial authentication. Although the only programs observed to\r\nbe installed by Bundlore thus far have been adware, with root access and no additional authentication required from the\r\nuser, any software could be installed with full access to the file system.\r\nExisting customers can learn more about how VMware Carbon Black products protect against this variant\r\nof Bundlore by visiting our “Bundlore (macOS) mm-install-macos” TAU-TIN hosted on the User Exchange.\r\nReferences\r\n“New macOS Bundlore Loader Analysis” – Confiant\r\n“macOS Bundlore: Mac Virus Bypassing macOS Security Features” – MacKeeper\r\n“New Crossrider variant installs configuration profiles on Macs” – MalwareBytes\r\nIndicators of Compromise\r\nIndicator  Type  Context \r\n5bbdf331b270973e9987e0163a319ef8c12bb3421e69018629cdd85bee77ff3d SHA256 Sample .crx\r\n98bbcced1edf5ee4d781664b8fe722262aefd1cc4e7aa22a271aa9720de56c15 SHA256 Sample Flash zip file\r\nf425e6b6ac74b2b3b2c8b20b56641dfa8bcdd325b3bcabe023970855cc7f129e SHA256 Sample Flash DMG\r\n2ffe27f6e3ad0af3b90cf8010d32346b MD5 Sample Flash DMG\r\nd44e579ca410fbe04a15e7f10c7c4fffbc758ebb589e8bfd93e7a455ef631490 SHA256 Sample mach-o binary\r\n59fed4536a17b5dc39f2d81c04dfbcf1 MD5 Sample mach-o binary\r\nhttp://download[.]mycouponsmartmac[.]com domain URL hosting .crx\r\nhttp://software[.]macsoftwareserver05[.]com domain\r\nURL\r\nhosting mediaDownloader\r\nhttp://request[.]pingtrusteer[.]com domain\r\nPingTrusteer update\r\nserver\r\nhttp://events[.]blitzbarbara[.]win domain\r\nWebtools installation\r\nserver\r\nhttp://service[.]macinstallerinfo[.]com/ domain\r\nWebtools installation\r\nserver\r\nhttp://dl[.]searchmine[.]net/ domain Searchmine update server\r\nMITRE ATT\u0026CK Techniques and Tactics\r\nID Techniques Tactics\r\nhttps://blogs.vmware.com/security/2020/06/tau-threat-analysis-bundlore-macos-mm-install-macos.html\r\nPage 15 of 16\n\nT1083 Discovery File and Directory Discovery\r\nT1064 Defense Evasion, Execution Scripting\r\nT1204 Execution User Execution\r\nT1176 Persistence Browser Extensions\r\nT1514 Privilege Escalation Elevated Execution with Prompt\r\nT1222 Defense Evasion File and Directory Permissions Modification\r\nT1158 Defense Evasion Hidden Files and Directories\r\nT1027 Defense Evasion Obfuscated Files or Information\r\nT1005 Collection Data from Local System\r\nT1105 Command and Control Remote File Copy\r\nSource: https://blogs.vmware.com/security/2020/06/tau-threat-analysis-bundlore-macos-mm-install-macos.html\r\nhttps://blogs.vmware.com/security/2020/06/tau-threat-analysis-bundlore-macos-mm-install-macos.html\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://blogs.vmware.com/security/2020/06/tau-threat-analysis-bundlore-macos-mm-install-macos.html"
	],
	"report_names": [
		"tau-threat-analysis-bundlore-macos-mm-install-macos.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434122,
	"ts_updated_at": 1775791230,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b3c19ca8a4b34e0008f1492938dcf6ffbcbd2e10.pdf",
		"text": "https://archive.orkl.eu/b3c19ca8a4b34e0008f1492938dcf6ffbcbd2e10.txt",
		"img": "https://archive.orkl.eu/b3c19ca8a4b34e0008f1492938dcf6ffbcbd2e10.jpg"
	}
}