Malicious Google Ads for podcast player and PDF viewer applications lead to the installation of a macOS malware known as FlutterShell, Palo Alto’s Unit 42 reported Tuesday.FlutterShell primarily serves as adware that hijacks the victim’s Google Chrome browser to display advertisement-filled web pages, but also contains backdoor functionality enabling arbitrary command execution, file manipulation and extraction of environment variables.FlutterShell, and the overarching Operation FlutterBridge malvertising campaign used to spread it, is linked to a previous macOS malware campaign known as JSCoreRunner, as well as clusters of Windows attacks under the “TamperedChef” campaign umbrella. Unit 42 tracks the overall threat cluster as CL-CRI-1089.The malware is named for its use of Flutter, a legitimate open-source software development framework.“The Flutter engine compiles Dart code into a dynamic library and uses an Object Pool to store data. This separates the code from the strings and variables it uses, making it difficult for security analysts to see how the malware actually functions,” the Unit 42 researchers explained. A custom version of an open-source tool called blutter was used by Palo Alto to assist with reverse engineering of the Flutter applications.Three malicious applications, discovered through Google Ads, were linked to the Operation FlutterBridge campaign: PodcastsLounge, PDF-Brain and PDF-Ninja. These applications performed their advertised function but also used WebView-based architecture with a JavaScript-to-native bridge to perform malicious functions.WebView is used to load content from an external website, and the JavaScript-to-native bridge allows that content to be communicated as JSON-formatted commands to the application’s native Dart environment.This allows the applications to facilitate malicious actions directed by the attacker controlled command-and-control (C2) domain without including malicious functions directly in the applications’ code. This architecture also allows the threat actors to dynamically edit the malicious content by changing the C2 website without needing to touch the malware code.The primary purpose of FlutterShell is to edit the Google Chrome “Secure Preferences” file on victims’ machines to change the default search provider to attacker’s own website, causing the website to automatically load whenever the victim attempts to perform a search or opens a new tab. This essentially serves as adware to drive ad revenue for the attacker, as the targeted websites are filled with advertisements.However, FlutterShell could facilitate more extensive backdoor activities, including shell command execution and file system manipulation, and researchers have observed active development of FlutterShell’s command payloads, suggesting potential future evolution of the backdoor.The malicious PDF viewer apps were also found to contain an AI summary feature that sends uploaded files to an attacker-controlled domain before passing them through an AI summarization tool, meaning the attacker can steal any documents uploaded through the feature.FlutterShell is spread through hundreds of Google Ads from various accounts linked to two shell companies: AdsParkPro LTD and Advantage Web Marketing LLC. Another shell company called SOFT WE ART LIMITED was previously used to purchase ads for the threat actor’s past Windows-targeting campaigns.Google reportedly removed the Google Ads accounts associated with Operation FlutterBridge after they were reported by Unit 42 researchers.“The coordination of multiple shell entities, and the rapid development and delivery of new FlutterShell variants, indicates that this campaign is far from over. Up until late March, we continued to witness the distribution of FlutterBridge malware variants,” the researchers concluded. “As the attackers behind CL-CRI-1089 continue to refine their JavaScript-to-native bridge techniques, we expect to see this architecture deployed in future campaigns targeting both macOS and Windows environments.”
