See More

{"description": "Enterprise techniques used by Bundlore, ATT&CK software S0482 (v1.1)", "name": "Bundlore (S0482)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "18", "navigator": "5.2.0"}, "techniques": [{"techniqueID": "T1098", "showSubtechniques": true}, {"techniqueID": "T1098.004", "comment": "[Bundlore](https://attack.mitre.org/software/S0482) creates a new key pair with ssh-keygen and drops the newly created user key in authorized_keys to enable remote login.(Citation: MacKeeper Bundlore Apr 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Bundlore](https://attack.mitre.org/software/S0482) uses HTTP requests for C2.(Citation: MacKeeper Bundlore Apr 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.002", "comment": "[Bundlore](https://attack.mitre.org/software/S0482) can use AppleScript to inject malicious JavaScript into a browser.(Citation: MacKeeper Bundlore Apr 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.004", "comment": "[Bundlore](https://attack.mitre.org/software/S0482) has leveraged /bin/sh and /bin/bash to execute commands on the victim machine.(Citation: MacKeeper Bundlore Apr 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.006", "comment": "[Bundlore](https://attack.mitre.org/software/S0482) has used Python scripts to execute payloads.(Citation: MacKeeper Bundlore Apr 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.007", "comment": "[Bundlore](https://attack.mitre.org/software/S0482) can execute JavaScript by injecting it into the victim's browser.(Citation: MacKeeper Bundlore Apr 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.001", "comment": "[Bundlore](https://attack.mitre.org/software/S0482) can persist via a LaunchAgent.(Citation: MacKeeper Bundlore Apr 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543.004", "comment": "[Bundlore](https://attack.mitre.org/software/S0482) can persist via a LaunchDaemon.(Citation: MacKeeper Bundlore Apr 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[Bundlore](https://attack.mitre.org/software/S0482) has used openssl to decrypt AES encrypted payload data. [Bundlore](https://attack.mitre.org/software/S0482) has also used base64 and RC4 with a hardcoded key to deobfuscate data.(Citation: MacKeeper Bundlore Apr 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1189", "comment": "[Bundlore](https://attack.mitre.org/software/S0482) has been spread through malicious advertisements on websites.(Citation: MacKeeper Bundlore Apr 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1048", "comment": "[Bundlore](https://attack.mitre.org/software/S0482) uses the curl -s -L -o command to exfiltrate archived data to a URL.(Citation: 20 macOS Common Tools and Techniques)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1222", "showSubtechniques": true}, {"techniqueID": "T1222.002", "comment": "[Bundlore](https://attack.mitre.org/software/S0482) changes the permissions of a payload using the command chmod -R 755.(Citation: 20 macOS Common Tools and Techniques)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1564", "comment": "[Bundlore](https://attack.mitre.org/software/S0482) uses the mktemp utility to make unique file and directory names for payloads, such as TMP_DIR=`mktemp -d -t x.(Citation: 20 macOS Common Tools and Techniques)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1562", "showSubtechniques": true}, {"techniqueID": "T1562.001", "comment": "[Bundlore](https://attack.mitre.org/software/S0482) can change browser security settings to enable extensions to be installed. [Bundlore](https://attack.mitre.org/software/S0482) uses the pkill cfprefsd command to prevent users from inspecting processes.(Citation: MacKeeper Bundlore Apr 2019)(Citation: 20 macOS Common Tools and Techniques)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[Bundlore](https://attack.mitre.org/software/S0482) can download and execute new versions of itself.(Citation: MacKeeper Bundlore Apr 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.002", "comment": "[Bundlore](https://attack.mitre.org/software/S0482) prompts the user for their credentials.(Citation: MacKeeper Bundlore Apr 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[Bundlore](https://attack.mitre.org/software/S0482) has disguised a malicious .app file as a Flash Player update.(Citation: MacKeeper Bundlore Apr 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027", "comment": "[Bundlore](https://attack.mitre.org/software/S0482) has obfuscated data with base64, AES, RC4, and bz2.(Citation: MacKeeper Bundlore Apr 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1057", "comment": "[Bundlore](https://attack.mitre.org/software/S0482) has used the ps command to list processes.(Citation: MacKeeper Bundlore Apr 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1518", "comment": "[Bundlore](https://attack.mitre.org/software/S0482) has the ability to enumerate what browser is being used as well as version information for Safari.(Citation: MacKeeper Bundlore Apr 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1176", "showSubtechniques": true}, {"techniqueID": "T1176.001", "comment": "[Bundlore](https://attack.mitre.org/software/S0482) can install malicious browser extensions that are used to hijack user searches.(Citation: MacKeeper Bundlore Apr 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[Bundlore](https://attack.mitre.org/software/S0482) will enumerate the macOS version to determine which follow-on behaviors to execute using /usr/bin/sw_vers -productVersion.(Citation: MacKeeper Bundlore Apr 2019)(Citation: 20 macOS Common Tools and Techniques)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[Bundlore](https://attack.mitre.org/software/S0482) has attempted to get users to execute a malicious .app file that looks like a Flash Player update.(Citation: MacKeeper Bundlore Apr 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Bundlore", "color": "#66b1ff"}]}