![Page 1: Hypervisor-based Analysis of macOS Malware · 3 1. hyper visor 4. real-world malware behavior. 4 1. hyper visor. Second-level page tables Two-Dimensional Paging 5 Guest Virtual Memory](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f503ca2bff770598a5a36e6/html5/thumbnails/1.jpg)
Dissecting Rotten Apples –
macOS Malware Analysis
Felix Seele
![Page 2: Hypervisor-based Analysis of macOS Malware · 3 1. hyper visor 4. real-world malware behavior. 4 1. hyper visor. Second-level page tables Two-Dimensional Paging 5 Guest Virtual Memory](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f503ca2bff770598a5a36e6/html5/thumbnails/2.jpg)
whoami
2
Felix Seele
• Technical Lead @ VMRay
• Developed first hypervisor-based
macOS sandbox
• Now part of the VMRay Analyzer
@c1truz_
![Page 3: Hypervisor-based Analysis of macOS Malware · 3 1. hyper visor 4. real-world malware behavior. 4 1. hyper visor. Second-level page tables Two-Dimensional Paging 5 Guest Virtual Memory](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f503ca2bff770598a5a36e6/html5/thumbnails/3.jpg)
Dissecting the Apple
3
1.
hyper
visor
4. real-world malware
behavior
![Page 4: Hypervisor-based Analysis of macOS Malware · 3 1. hyper visor 4. real-world malware behavior. 4 1. hyper visor. Second-level page tables Two-Dimensional Paging 5 Guest Virtual Memory](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f503ca2bff770598a5a36e6/html5/thumbnails/4.jpg)
4
1.
hyper
visor
![Page 5: Hypervisor-based Analysis of macOS Malware · 3 1. hyper visor 4. real-world malware behavior. 4 1. hyper visor. Second-level page tables Two-Dimensional Paging 5 Guest Virtual Memory](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f503ca2bff770598a5a36e6/html5/thumbnails/5.jpg)
Second-level page tables
Two-Dimensional Paging
5
Guest Virtual
Memory
Guest Physical
Memory
Host Physical
Memory
Virtual Machine
r-x r-x
Hypervisor
![Page 6: Hypervisor-based Analysis of macOS Malware · 3 1. hyper visor 4. real-world malware behavior. 4 1. hyper visor. Second-level page tables Two-Dimensional Paging 5 Guest Virtual Memory](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f503ca2bff770598a5a36e6/html5/thumbnails/6.jpg)
Second-level page tables
Two-Dimensional Paging
6
Guest Virtual
Memory
Guest Physical
Memory
Host Physical
Memory
Virtual Machine
r-x r--
Execution will cause
page fault and trap
to hypervisor!Hypervisor
![Page 7: Hypervisor-based Analysis of macOS Malware · 3 1. hyper visor 4. real-world malware behavior. 4 1. hyper visor. Second-level page tables Two-Dimensional Paging 5 Guest Virtual Memory](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f503ca2bff770598a5a36e6/html5/thumbnails/7.jpg)
Using TDP to monitor API calls
Two-Dimensional Paging
7
Evil.app Foundation.framework
libsystem_kernel.dylib
kernel
CFNetwork.framework
• Divide memory
regions into two sets:- Set A: Target
executable
- Set B: System libraries and kernel
![Page 8: Hypervisor-based Analysis of macOS Malware · 3 1. hyper visor 4. real-world malware behavior. 4 1. hyper visor. Second-level page tables Two-Dimensional Paging 5 Guest Virtual Memory](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f503ca2bff770598a5a36e6/html5/thumbnails/8.jpg)
Using TDP to monitor API calls
Two-Dimensional Paging
• Divide memory
regions into two sets:- Set A: Target
executable
- Set B: System libraries and kernel
• One of the sets is
executable, the other
non-executable
8
Evil.app Foundation.framework
libsystem_kernel.dylib
kernel
CFNetwork.framework
✗
![Page 9: Hypervisor-based Analysis of macOS Malware · 3 1. hyper visor 4. real-world malware behavior. 4 1. hyper visor. Second-level page tables Two-Dimensional Paging 5 Guest Virtual Memory](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f503ca2bff770598a5a36e6/html5/thumbnails/9.jpg)
Using TDP to monitor API calls
Two-Dimensional Paging
9
Evil.app Foundation.framework
libsystem_kernel.dylib
kernel
CFNetwork.framework
✗• Divide memory
regions into two sets:- Set A: Target
executable
- Set B: System libraries and kernel
• One of the sets is
executable, the other
non-executable
![Page 10: Hypervisor-based Analysis of macOS Malware · 3 1. hyper visor 4. real-world malware behavior. 4 1. hyper visor. Second-level page tables Two-Dimensional Paging 5 Guest Virtual Memory](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f503ca2bff770598a5a36e6/html5/thumbnails/10.jpg)
Virtual Machine Introspection
10
ProcessesVirtual Memory
Threads
Inter-Process Communication
Shared Libraries
Syscalls
![Page 11: Hypervisor-based Analysis of macOS Malware · 3 1. hyper visor 4. real-world malware behavior. 4 1. hyper visor. Second-level page tables Two-Dimensional Paging 5 Guest Virtual Memory](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f503ca2bff770598a5a36e6/html5/thumbnails/11.jpg)
11
1.
hyper
visor
![Page 12: Hypervisor-based Analysis of macOS Malware · 3 1. hyper visor 4. real-world malware behavior. 4 1. hyper visor. Second-level page tables Two-Dimensional Paging 5 Guest Virtual Memory](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f503ca2bff770598a5a36e6/html5/thumbnails/12.jpg)
macOS Architecture
12
Mach
BSDFilesystem
Networking
Scheduling
Virtual Memory
Kernel
Space
“XNU” IPC
...
IOKit kexts
![Page 13: Hypervisor-based Analysis of macOS Malware · 3 1. hyper visor 4. real-world malware behavior. 4 1. hyper visor. Second-level page tables Two-Dimensional Paging 5 Guest Virtual Memory](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f503ca2bff770598a5a36e6/html5/thumbnails/13.jpg)
macOS Architecture
13
Mach
BSDFilesystem
Networking
Scheduling
Virtual Memory
Core Frameworks/Libraries
Kernel
Space
“XNU”
User
Space Application Frameworks
Applications
syscall
IPC
...
IO Kit kexts
![Page 14: Hypervisor-based Analysis of macOS Malware · 3 1. hyper visor 4. real-world malware behavior. 4 1. hyper visor. Second-level page tables Two-Dimensional Paging 5 Guest Virtual Memory](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f503ca2bff770598a5a36e6/html5/thumbnails/14.jpg)
macOS Architecture
14
Mach
BSD
Core Frameworks/Libraries
User
Space Application Frameworks
Applications
IOKit kexts
open source
Kernel
Space
“XNU”
closed source
https://opensource.apple.com/
![Page 15: Hypervisor-based Analysis of macOS Malware · 3 1. hyper visor 4. real-world malware behavior. 4 1. hyper visor. Second-level page tables Two-Dimensional Paging 5 Guest Virtual Memory](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f503ca2bff770598a5a36e6/html5/thumbnails/15.jpg)
15
1..n
1..n
0..1 0..1
Mach
BSD
struct proc
pid_t p_pid
void *task
pid_t p_ppid
uid_t p_uid
...
struct task
uint32_t ref_count
boolean_t active
boolean_t halting
...
void *bsd_info
...
struct thread
...
void *uthread
...
uint64_t thread_id
...
struct uthread
...
struct proc *uu_proc;
thread_t uu_thread;
void * uu_userstate;
...
![Page 16: Hypervisor-based Analysis of macOS Malware · 3 1. hyper visor 4. real-world malware behavior. 4 1. hyper visor. Second-level page tables Two-Dimensional Paging 5 Guest Virtual Memory](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f503ca2bff770598a5a36e6/html5/thumbnails/16.jpg)
Mach Messages
16
MachScheduling
Virtual Memory
Kernel
Space
“XNU”
syscall
IPC
...
![Page 17: Hypervisor-based Analysis of macOS Malware · 3 1. hyper visor 4. real-world malware behavior. 4 1. hyper visor. Second-level page tables Two-Dimensional Paging 5 Guest Virtual Memory](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f503ca2bff770598a5a36e6/html5/thumbnails/17.jpg)
• IPC mechanism used in kernel and user space
• Opaque binary blob sent between two Mach Ports
• Mach Port is essentially a message queue
• Port rights define who can send and receive messages:- “Owner” of the port holds a receive right (only one)
- Senders need to hold a send right (0..n)
• Messages can also be complex:- Pass port right to another process
- Pass out-of-line data (often used for spraying in kernel exploits)
Mach Messages
17
![Page 18: Hypervisor-based Analysis of macOS Malware · 3 1. hyper visor 4. real-world malware behavior. 4 1. hyper visor. Second-level page tables Two-Dimensional Paging 5 Guest Virtual Memory](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f503ca2bff770598a5a36e6/html5/thumbnails/18.jpg)
• Mach kernel objects are accessed through ports:- task
- thread
- vm_map
- …
• Example:
Mach Messages – Kernel
18
task_t remoteTask;
task_for_pid(mach_task_self(), pid, &remoteTask);vm_protect(remoteTask, 0x41414141, 0x100, FALSE, VM_PROT_READ | VM_PROT_EXECUTE);
typedef mach_port_t task_t;
![Page 19: Hypervisor-based Analysis of macOS Malware · 3 1. hyper visor 4. real-world malware behavior. 4 1. hyper visor. Second-level page tables Two-Dimensional Paging 5 Guest Virtual Memory](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f503ca2bff770598a5a36e6/html5/thumbnails/19.jpg)
• Mach messages are also the foundation of user space IPC
• Multiple high-level frameworks to facilitate passing structured data (-> XPC)
Mach Messages – User Space
19
XPC messages
XPC-based
RPC
CFPort MIG
Mach messages
• Communication with system
daemons- Access the keychain
- Create persistent services
- …
• Communication between sandboxed
and privileged processes (sandbox
escapes anyone?)
Auditing and Exploiting Apple IPC (Ian Beer) https://thecyberwire.com/events/docs/IanBeer_JSS_Slides.pdf
![Page 20: Hypervisor-based Analysis of macOS Malware · 3 1. hyper visor 4. real-world malware behavior. 4 1. hyper visor. Second-level page tables Two-Dimensional Paging 5 Guest Virtual Memory](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f503ca2bff770598a5a36e6/html5/thumbnails/20.jpg)
• Security researchers: Mach messages and the frameworks on top are really complex
and many bugs have been found- Ian Beer „Auditing and Exploiting Apple IPC“ https://thecyberwire.com/events/docs/IanBeer_JSS_Slides.pdf
- Ian Beer „vm_map'ing out XNU Virtual Memory” https://objectivebythesea.com/v2/talks/OBTS_v2_Beer.pdf
- Linus Henze „KeySteal: A Vulnerability in Apple's Keychain“ https://objectivebythesea.com/v2/talks.html
- Liang Chen, Qidan He „Shooting the OS X El Capitan Kernel Like a Sniper“ https://recon.cx/2016/resources/slides/RECON-0xA-Shooting_the_OSX_El_Capitan_Kernel_Like_A_Sniper_Chen_He.pdf
• Malware analysis: A lot of relevant system functionality is implemented using Mach
messages under the hood (eg. installing persistent services, screen capture, …)
• Malware sandboxes: Need to monitor IPC communication to not miss behavior
Mach Messages – Why should we care?
20
![Page 21: Hypervisor-based Analysis of macOS Malware · 3 1. hyper visor 4. real-world malware behavior. 4 1. hyper visor. Second-level page tables Two-Dimensional Paging 5 Guest Virtual Memory](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f503ca2bff770598a5a36e6/html5/thumbnails/21.jpg)
21
1.
hyper
visor
![Page 22: Hypervisor-based Analysis of macOS Malware · 3 1. hyper visor 4. real-world malware behavior. 4 1. hyper visor. Second-level page tables Two-Dimensional Paging 5 Guest Virtual Memory](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f503ca2bff770598a5a36e6/html5/thumbnails/22.jpg)
• pid 1
• Every process has a send right to launchd (“bootstrap port”)
• Serves as a “registry” to look up Mach ports for registered services
launchd
22
mach_port_t bs_port, service_port;task_get_bootstrap_port(mach_task_self(), &bs_port);
// register servicebootstrap_check_in(bs_port, "com.example.service", &service_port);
// lookup servicebootstrap_look_up(bs_port, "com.example.service", &service_port);
![Page 23: Hypervisor-based Analysis of macOS Malware · 3 1. hyper visor 4. real-world malware behavior. 4 1. hyper visor. Second-level page tables Two-Dimensional Paging 5 Guest Virtual Memory](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f503ca2bff770598a5a36e6/html5/thumbnails/23.jpg)
• Responsible for starting other processes:- Background services (LaunchDaemons and LaunchAgents)
- Opening files/documents from Finder or other Applications
- On-demand (crash handler, on mount, on file modification, on connection, …)
• LaunchDaemons: Start at boot-time, no interaction
• LaunchAgents: Start at login-time, connected to the user’s session, may have GUI
• Service defined in plist (XML)
launchd
23
/System/Library/LaunchDaemons/ -- system
/Library/LaunchDaemons/ -- 3rd party
/System/Library/LaunchAgents -- system
/Library/LaunchAgents -- 3rd party (all users)
~/Library/LaunchAgents -- 3rd party (spec. user)
![Page 24: Hypervisor-based Analysis of macOS Malware · 3 1. hyper visor 4. real-world malware behavior. 4 1. hyper visor. Second-level page tables Two-Dimensional Paging 5 Guest Virtual Memory](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f503ca2bff770598a5a36e6/html5/thumbnails/24.jpg)
24
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN""http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict>
<key>Label</key><string>com.apple.updates</string>
<key>ProgramArguments</key><array>
<string>/Users/Shared/.local/kextd</string></array>
<key>KeepAlive</key><false/><key>RunAtLoad</key><true/><key>StandardErrorPath</key><string>/dev/null</string><key>StandardOutPath</key><string>/dev/null</string>
</dict></plist>
![Page 25: Hypervisor-based Analysis of macOS Malware · 3 1. hyper visor 4. real-world malware behavior. 4 1. hyper visor. Second-level page tables Two-Dimensional Paging 5 Guest Virtual Memory](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f503ca2bff770598a5a36e6/html5/thumbnails/25.jpg)
• Restricts abilities of the root user (root -> kernel priv. escalation)
• File system protection:- System directories like /bin, /sbin, /usr and /System are read-only
- Some applications can’t be deleted
• Runtime protections:- Can’t attach/inject into system processes
• Kernel extensions must be signed
• SIP can only be disabled by booting into recovery mode and running csrutil
System Integrity Protection (SIP)
25
![Page 26: Hypervisor-based Analysis of macOS Malware · 3 1. hyper visor 4. real-world malware behavior. 4 1. hyper visor. Second-level page tables Two-Dimensional Paging 5 Guest Virtual Memory](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f503ca2bff770598a5a36e6/html5/thumbnails/26.jpg)
Verify code signature of “quarantined” applications
Gatekeeper
26
Signed Unsigned
![Page 27: Hypervisor-based Analysis of macOS Malware · 3 1. hyper visor 4. real-world malware behavior. 4 1. hyper visor. Second-level page tables Two-Dimensional Paging 5 Guest Virtual Memory](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f503ca2bff770598a5a36e6/html5/thumbnails/27.jpg)
Verify code signature of “quarantined” applications
Gatekeeper
27
![Page 28: Hypervisor-based Analysis of macOS Malware · 3 1. hyper visor 4. real-world malware behavior. 4 1. hyper visor. Second-level page tables Two-Dimensional Paging 5 Guest Virtual Memory](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f503ca2bff770598a5a36e6/html5/thumbnails/28.jpg)
Also checks for known malware signatures (XProtect)
Gatekeeper
28
![Page 29: Hypervisor-based Analysis of macOS Malware · 3 1. hyper visor 4. real-world malware behavior. 4 1. hyper visor. Second-level page tables Two-Dimensional Paging 5 Guest Virtual Memory](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f503ca2bff770598a5a36e6/html5/thumbnails/29.jpg)
Also checks for known malware signatures (XProtect)
Gatekeeper
29
![Page 30: Hypervisor-based Analysis of macOS Malware · 3 1. hyper visor 4. real-world malware behavior. 4 1. hyper visor. Second-level page tables Two-Dimensional Paging 5 Guest Virtual Memory](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f503ca2bff770598a5a36e6/html5/thumbnails/30.jpg)
Apple’s built-in “AV”
XProtect
30
![Page 31: Hypervisor-based Analysis of macOS Malware · 3 1. hyper visor 4. real-world malware behavior. 4 1. hyper visor. Second-level page tables Two-Dimensional Paging 5 Guest Virtual Memory](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f503ca2bff770598a5a36e6/html5/thumbnails/31.jpg)
Gatekeeper Enhancements
31
Up to 10.14 “Mojave” 10.15 “Catalina”
Malicious content scanQuarantined files, opened
through FinderAll executables
Signature checksQuarantined files, opened
through FinderQuarantined files
Notarization - Required for quarantined files
Advances in macOS Security (WWDC 2019) https://developer.apple.com/videos/play/wwdc2019/701/
![Page 32: Hypervisor-based Analysis of macOS Malware · 3 1. hyper visor 4. real-world malware behavior. 4 1. hyper visor. Second-level page tables Two-Dimensional Paging 5 Guest Virtual Memory](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f503ca2bff770598a5a36e6/html5/thumbnails/32.jpg)
Another ”AV”?!?
Malware Removal Tool (MRT)
• Another tool to remove malware from already infected Macs- Not just malware (Zoom )
https://eclecticlight.co/2019/07/10/apple-has-pushed-an-update-to-mrt-to-remove-zooms-hidden-web-server/
• Signatures embedded in the binary
• Periodic scans as opposed to one-time scan (Gatekeeper)
32
![Page 33: Hypervisor-based Analysis of macOS Malware · 3 1. hyper visor 4. real-world malware behavior. 4 1. hyper visor. Second-level page tables Two-Dimensional Paging 5 Guest Virtual Memory](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f503ca2bff770598a5a36e6/html5/thumbnails/33.jpg)
33
1.
hyper
visor
4. real-world malware
behavior
![Page 34: Hypervisor-based Analysis of macOS Malware · 3 1. hyper visor 4. real-world malware behavior. 4 1. hyper visor. Second-level page tables Two-Dimensional Paging 5 Guest Virtual Memory](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f503ca2bff770598a5a36e6/html5/thumbnails/34.jpg)
Tools
Static:
• IDA, r2, Binary Ninja, Hopper
• strings, nm, file, lipo, otool, codesign
• jtool(2)
Dynamic:
• lldb
• dtrace (fs_usage, dtruss)
• frida
• Objective-See tools (BlockBlock,
procInfo, Lulu, …)
• Sandboxes
34
![Page 35: Hypervisor-based Analysis of macOS Malware · 3 1. hyper visor 4. real-world malware behavior. 4 1. hyper visor. Second-level page tables Two-Dimensional Paging 5 Guest Virtual Memory](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f503ca2bff770598a5a36e6/html5/thumbnails/35.jpg)
Binary format
The Basics
• Mach-O
• Magic: 0xfeedface (32 bit), 0xfeedfacf (64 bit), 0xcafebabe (fat)
• Structure:- Header (magic, supported architectures, flags, # load commands)
- Load commands
▪ Segments and sections
▪ Dynamic linking info
▪ Symbol table
▪ UUID
▪ Imported libraries
▪ Code signing info
▪ …
• Use favorite disassembler, otool or jtool to inspect Mach-O files
35https://github.com/aidansteele/osx-abi-macho-file-format-reference/blob/master/Mach-O_File_Format.pdf
![Page 36: Hypervisor-based Analysis of macOS Malware · 3 1. hyper visor 4. real-world malware behavior. 4 1. hyper visor. Second-level page tables Two-Dimensional Paging 5 Guest Virtual Memory](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f503ca2bff770598a5a36e6/html5/thumbnails/36.jpg)
Objective-C
The Basics
• Highly dynamic, object-oriented programming language
• Superset of C
36
NSProcessInfo *processInfo = [NSProcessInfo processInfo];NSString *username = [processInfo userName];
[username writeToFile:@"user.txt" atomically:YES];
NSLog(@"Content written to path: %@\n", filename);
classname selector (aka method)
1st parameter 2nd parameter
![Page 37: Hypervisor-based Analysis of macOS Malware · 3 1. hyper visor 4. real-world malware behavior. 4 1. hyper visor. Second-level page tables Two-Dimensional Paging 5 Guest Virtual Memory](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f503ca2bff770598a5a36e6/html5/thumbnails/37.jpg)
Objective-C
The Basics
• All classes and methods must be registered with runtime
• -> Need to be defined in symbol table :)
37
![Page 38: Hypervisor-based Analysis of macOS Malware · 3 1. hyper visor 4. real-world malware behavior. 4 1. hyper visor. Second-level page tables Two-Dimensional Paging 5 Guest Virtual Memory](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f503ca2bff770598a5a36e6/html5/thumbnails/38.jpg)
• Other common programming languages:
- Swift (MacSpy, Calisto, WindTail, EvilEgg)
- Bash (Shlayer)
- Python (LamePyre, DarthMiner, Dummy)
- Java (CrossRAT)
- C++, Qt (Mokes)
The Basics
38
![Page 39: Hypervisor-based Analysis of macOS Malware · 3 1. hyper visor 4. real-world malware behavior. 4 1. hyper visor. Second-level page tables Two-Dimensional Paging 5 Guest Virtual Memory](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f503ca2bff770598a5a36e6/html5/thumbnails/39.jpg)
• Adware family discovered in January 2019
• App disguised as fake flash installer
• Uses bash script instead of Mach-O executable to bypass codesigning requirements
OSX.Shlayer
39
![Page 40: Hypervisor-based Analysis of macOS Malware · 3 1. hyper visor 4. real-world malware behavior. 4 1. hyper visor. Second-level page tables Two-Dimensional Paging 5 Guest Virtual Memory](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f503ca2bff770598a5a36e6/html5/thumbnails/40.jpg)
1st and 2nd stage
OSX.Shlayer
40
![Page 41: Hypervisor-based Analysis of macOS Malware · 3 1. hyper visor 4. real-world malware behavior. 4 1. hyper visor. Second-level page tables Two-Dimensional Paging 5 Guest Virtual Memory](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f503ca2bff770598a5a36e6/html5/thumbnails/41.jpg)
3rd stage
OSX.Shlayer
41
-> usage of curl bypasses Gatekeeper (files are not quarantined)
Peeling back the 'Shlayers' of macOS Malware - https://objectivebythesea.com/v2/talks/OBTS_v2_Noerenberg_Watson.pdf
![Page 42: Hypervisor-based Analysis of macOS Malware · 3 1. hyper visor 4. real-world malware behavior. 4 1. hyper visor. Second-level page tables Two-Dimensional Paging 5 Guest Virtual Memory](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f503ca2bff770598a5a36e6/html5/thumbnails/42.jpg)
“Privilege Escalation”
Malware Behavior
• Password prompts -> just ask
42
Disguise as Apple service Fake prompt and store password
“Death by 1000 Installers” Patrick Wardle https://speakerdeck.com/patrickwardle/defcon-2017-death-by-1000-installers-its-all-broken
![Page 43: Hypervisor-based Analysis of macOS Malware · 3 1. hyper visor 4. real-world malware behavior. 4 1. hyper visor. Second-level page tables Two-Dimensional Paging 5 Guest Virtual Memory](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f503ca2bff770598a5a36e6/html5/thumbnails/43.jpg)
Anti Analysis
Malware Behavior
• String obfuscation
• Dynamic address resolution using dlopen and dlsym
• Deny debugging: ptrace(PT_DENY_ATTACH, 0, NULL, 0)
43
![Page 44: Hypervisor-based Analysis of macOS Malware · 3 1. hyper visor 4. real-world malware behavior. 4 1. hyper visor. Second-level page tables Two-Dimensional Paging 5 Guest Virtual Memory](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f503ca2bff770598a5a36e6/html5/thumbnails/44.jpg)
Anti Analysis
Malware Behavior
• Sandbox evasion (sleep, time checks)
• VM detection- Check number of cores
- Check for virtualization artifacts in hardware registry (IOReg)
- Check MAC address prefix
44
![Page 45: Hypervisor-based Analysis of macOS Malware · 3 1. hyper visor 4. real-world malware behavior. 4 1. hyper visor. Second-level page tables Two-Dimensional Paging 5 Guest Virtual Memory](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f503ca2bff770598a5a36e6/html5/thumbnails/45.jpg)
Anti Analysis
Malware Behavior
• Sleep evasion
• VM detection- Check number of cores
- Check for virtualization artifacts in hardware registry (IOReg)
- Check MAC prefix
• AV detection- Check for paths
- Check for running processes
• Packers- UPX (some samples use custom version)
- VMProtect
- custom packers (rare)
45
![Page 46: Hypervisor-based Analysis of macOS Malware · 3 1. hyper visor 4. real-world malware behavior. 4 1. hyper visor. Second-level page tables Two-Dimensional Paging 5 Guest Virtual Memory](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f503ca2bff770598a5a36e6/html5/thumbnails/46.jpg)
Anti Analysis
Malware Behavior
46
InstallCore
![Page 47: Hypervisor-based Analysis of macOS Malware · 3 1. hyper visor 4. real-world malware behavior. 4 1. hyper visor. Second-level page tables Two-Dimensional Paging 5 Guest Virtual Memory](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f503ca2bff770598a5a36e6/html5/thumbnails/47.jpg)
47
![Page 48: Hypervisor-based Analysis of macOS Malware · 3 1. hyper visor 4. real-world malware behavior. 4 1. hyper visor. Second-level page tables Two-Dimensional Paging 5 Guest Virtual Memory](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f503ca2bff770598a5a36e6/html5/thumbnails/48.jpg)
48
![Page 49: Hypervisor-based Analysis of macOS Malware · 3 1. hyper visor 4. real-world malware behavior. 4 1. hyper visor. Second-level page tables Two-Dimensional Paging 5 Guest Virtual Memory](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f503ca2bff770598a5a36e6/html5/thumbnails/49.jpg)
49
i=0x1
i=0x2
i=0x20
-> ascii encoded 128-bit decryption key?!
![Page 50: Hypervisor-based Analysis of macOS Malware · 3 1. hyper visor 4. real-world malware behavior. 4 1. hyper visor. Second-level page tables Two-Dimensional Paging 5 Guest Virtual Memory](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f503ca2bff770598a5a36e6/html5/thumbnails/50.jpg)
![Page 51: Hypervisor-based Analysis of macOS Malware · 3 1. hyper visor 4. real-world malware behavior. 4 1. hyper visor. Second-level page tables Two-Dimensional Paging 5 Guest Virtual Memory](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f503ca2bff770598a5a36e6/html5/thumbnails/51.jpg)
51
Decrypted entrypoint
![Page 52: Hypervisor-based Analysis of macOS Malware · 3 1. hyper visor 4. real-world malware behavior. 4 1. hyper visor. Second-level page tables Two-Dimensional Paging 5 Guest Virtual Memory](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f503ca2bff770598a5a36e6/html5/thumbnails/52.jpg)
52
Output of VMRay Analyzer:
"Never Before Had Stierlitz Been So Close To Failure" (Sergei Shevchenko) https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Shevchenko.pdf
![Page 53: Hypervisor-based Analysis of macOS Malware · 3 1. hyper visor 4. real-world malware behavior. 4 1. hyper visor. Second-level page tables Two-Dimensional Paging 5 Guest Virtual Memory](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f503ca2bff770598a5a36e6/html5/thumbnails/53.jpg)
• XNU’s hybrid architecture
• Built-in security is mostly useless (better in 10.15)
• macOS malware has become more sophisticated (but still lame in some regards)
• Many techniques known from Windows malware are being adapted
• Adware/PUAs are on the rise
Takeaways
53
![Page 54: Hypervisor-based Analysis of macOS Malware · 3 1. hyper visor 4. real-world malware behavior. 4 1. hyper visor. Second-level page tables Two-Dimensional Paging 5 Guest Virtual Memory](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f503ca2bff770598a5a36e6/html5/thumbnails/54.jpg)
Thank you for your attention!
• *OS Internals, Jonathan Levin - 1st edition now free! http://newosxbook.com/MOXiI.pdf
• https://objective-see.com/blog.html, Patrick Wardle
• Collection of papers and talks: https://papers.put.as/macosx/macosx/
• macOS-focused conference: https://objectivebythesea.com/
Resources: