While investigating samples of NukeSped, a remote access trojan (RAT), Trend Micro came across several Bundlore adware samples using the same fileless routine that was spotted in NukeSped. The backdoor has been attributed to the cybercriminal group Lazarus, which has been active since at least 2014. There are multiple variants of NukeSped, which is designed to run on 32-bit systems and uses encrypted strings to evade detection. Recently, a more sophisticated form of this trojan called ThreatNeedle surfaced as part of a cyberespionage campaign by Lazarus.
The encrypted Mach-O file discovered in these samples has upgraded Bundlore — a malware family that installs adware in a target’s device under the guise of downloading legitimate applications — to a stealthier and memory-resident threat.
Source: Trend Micro