A new macOS malware dropper responsible for the installation of the VindInstaller.B adware is seen being distributed. The initial payload is a DMG disk image containing a shell script, which is becoming an increasingly common technique for installation by macOS malware. This shell script contains a compressed application bundle which will be extracted on execution. A temporary directory is created into which the decompressed bundle is dropped and subsequently executed. The researchers note that this represents the first example of such a script using the funzip utility to assist with the decompression. Analyzing the dropped bundle reveals it is the InstallVibes bundle installer, which is a well-known pay-per-install software provider. Analyzing the executables inside the bundle allowed SentinelOne to classify this installer as VindInstaller.B, which is an adware and pay-per-install bundler that installs potentially unwanted programs or applications on a victim’s machine. Specifically, the “B” version of VindInstaller gathers victim host details, sends them to a remote URL, and retrieves “offers” to deliver to the victim host.
Block the threat indicators at their respective controls.