Security News > 2022 > January > Shlayer and Bundlore MacOS Malware Strains – How Uptycs EDR Detection Can Help
Adware strains Shlayer and Bundlore are the most common malware in macOS - although they have slight variations, they have long invaded and bypassed Xprotect, Notarization, Gatekeeper, and File Quarantine, all security features pre-built into macOS. The Uptycs threat research team has tracked these threats, along with 90% of macOS malware in routine analysis and customer telemetry alerts using shell scripts.
In this post, we break down the variations of malicious shell scripts in Shlayer and Bundlore, review the macOS utilities used by these malware strains, and show how Uptycs EDR detection can help.
The malicious shell scripts used by Shlayer and Bundlore are usually malvertising-focused adware bundlers using shell scripts in the kill chain to download and install an adware payload. The installers are usually macOS disk image files that are distributed via compromised Google search results or downloaded from websites with poor reputation.
Shlayer and Bundlore - Shell script variants with different faces.
While most of the variants and its payloads covered so far are detected and blocked by macOS, this variant of bash scripts and its payloads is not detected with the latest versions of macOS. Final payload - Bundlore.
MacOS malware Shlayer and Bundlore may have variations, but the behavior of their attacks have not changed - attacking older macOS versions and poorly-protected websites.