book

The Art of Mac Malware

Name: The Art of Mac Malware
Author: Patrick Wardle
ISBN: 9781718501942

by Patrick Wardle

June 2022

Intermediate to advanced

328 pages

9h 1m

English

No Starch Press

Read now

Unlock full access

Title Page
Copyright
Dedication
About the Author
Foreword
Acknowledgments
Introduction
Who Should Read This Book?What You’ll Find in This BookA Note on Mac Malware TerminologyA Note on Safely Analyzing MalwareAdditional ResourcesBooks WebsitesDownloading This Book’s Malware SpecimensEndnotes
Part I: Mac Malware Basics
Chapter 1: Infection Vectors
Mac ProtectionsMalicious EmailsFake Tech and Support Fake UpdatesFake ApplicationsTrojanized ApplicationsPirated and Cracked ApplicationsCustom URL SchemesOffice MacrosXcode ProjectsSupply Chain AttacksAccount Compromises of Remote ServicesExploitsPhysical AccessUp NextEndnotes
Chapter 2: Persistence
Login ItemsLaunch Agents and DaemonsScheduled Jobs and TasksCron JobsAt JobsPeriodic ScriptsLogin and Logout HooksDynamic LibrariesDYLD_* Environment VariablesDylib ProxyingDylib HijackingPlug-insScriptsEvent Monitor RulesReopened ApplicationsApplication and Binary ModificationsKnockKnock . . . Who’s There?Up NextEndnotes

Chapter 3: Capabilities
Categorizing Mac Malware CapabilitiesSurvey and ReconnaissancePrivilege EscalationEscaping SandboxesGaining Root PrivilegesAdware-Related Hijacks and Injections Cryptocurrency MinersRemote ShellsRemote Process and Memory ExecutionRemote Download and UploadFile EncryptionStealthOther CapabilitiesUp NextEndnotes
Part II: Mac Malware Analysis
Chapter 4: Nonbinary Analysis
Identifying File TypesExtracting Malicious Files from Distribution PackagingApple Disk Images (.dmg)Packages (.pkg)Analyzing ScriptsBash Shell ScriptsPython ScriptsAppleScriptPerl ScriptsMicrosoft Office DocumentsApplicationsUp NextEndnotes
Chapter 5: Binary Triage
The Mach-O File FormatThe HeaderThe Load CommandsThe Data SegmentClassifying Mach-O FilesHashesCode-Signing InformationStringsObjective-C Class Information“Nonbinary” BinariesIdentifying the Tool Used to Build the BinaryExtracting the Nonbinary ComponentUp NextEndnotes
Chapter 6: Disassembly and Decompilation
Assembly Language BasicsRegisters Assembly InstructionsCalling ConventionsThe objc_msgSend FunctionDisassemblyObjective-C DisassemblySwift DisassemblyC/C++ DisassemblyControl Flow DisassemblyDecompilationReverse Engineering with HopperCreating a Binary to AnalyzeLoading the BinaryExploring the InterfaceViewing the DisassemblyChanging the Display Mode Up NextEndnotes
Chapter 7: Dynamic Analysis Tools
Process MonitoringThe ProcessMonitor UtilityFile MonitoringThe fs_usage UtilityThe FileMonitor UtilityNetwork MonitoringmacOS’s Network Status MonitorsThe Netiquette UtilityNetwork Traffic MonitorsUp NextEndnotes
Chapter 8: Debugging
Why You Need a DebuggerThe LLDB DebuggerStarting a Debugger SessionControlling ExecutionUsing BreakpointsExamining All the ThingsModifying Process StateLLDB ScriptingA Sample Debugging Session: Uncovering Hidden Cryptocurrency Mining Logic in an App Store ApplicationUp NextEndnotes
Chapter 9: Anti-Analysis
Anti-Static-Analysis ApproachesSensitive Strings Disguised as ConstantsEncrypted StringsLocating Obfuscated StringsFinding the Deobfuscation CodeString Deobfuscation via a Hopper ScriptForcing the Malware to Execute Its Decryption RoutineCode-Level Obfuscations Bypassing Packed Binary CodeDecrypting Encrypted BinariesAnti-Dynamic-Analysis ApproachesChecking the System Model NameCounting the System’s Logical and Physical CPUsChecking the System’s MAC AddressChecking System Integrity Protection StatusDetecting or Killing Specific Tools Detecting a DebuggerPreventing Debugging with ptraceBypassing Anti-Dynamic-Analysis LogicModifying the Execution EnvironmentPatching the Binary ImageModifying the Malware’s Instruction PointerModifying a Register ValueA Remaining Challenge: Environmentally Generated KeysUp NextEndnotes
Part III: Analyzing EvilQuest
Chapter 10: EvilQuest’s Infection, Triage, and Deobfuscation
The Infection VectorTriageConfirming the File TypeExtracting the ContentsExploring the PackageExtracting Embedded Information from the patch BinaryAnalyzing the Command Line Parameters--silent--noroot--ignrpAnalyzing Anti-Analysis LogicVirtual Machine–Thwarting Logic?Debugging-Thwarting LogicObfuscated StringsUp NextEndnotes
Chapter 11: EvilQuest’s Persistence and Core Functionality Analysis
PersistenceKilling Unwanted ProcessesMaking Copies of ItselfPersisting the Copies as Launch ItemsStarting the Launch ItemsThe Repersistence LogicThe Local Viral Infection LogicListing Candidate Files for Infection Checking Whether to Infect Each FileInfecting Target FilesExecuting and Repersisting from Infected FilesExecuting the Infected File’s Original CodeThe Remote Communications LogicThe Mediator and Command and Control ServersRemote Tasking Logicreact_exec (0x1)react_save (0x2)react_start (0x4)react_keys (0x8)react_ping (0x10)react_host (0x20)react_scmd (0x40)The File Exfiltration LogicDirectory Listing ExfiltrationCertificate and Cryptocurrency File ExfiltrationFile Encryption LogicEvilQuest UpdatesBetter Anti-Analysis LogicModified Server AddressesA Longer List of Security Tools to TerminateNew Persistence PathsA Personal ShoutoutBetter FunctionsRemoved Ransomware LogicConclusionEndnotes
Index

Content preview from The Art of Mac Malware

4 Nonbinary Analysis

This chapter focuses on the static analysis of nonbinary file formats, such as packages, disk images, and scripts, that you’ll commonly encounter while analyzing Mac malware. Packages and disk images are compressed file formats often used to deliver malware to a user’s system. When we come across these compressed file types, our goal is to extract their contents, including any malicious files. These files, for example a malware’s installer, can come in various formats, though most commonly as either scripts or compiled binaries (often within an application bundle). Because of their plaintext readability, scripts are ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781098130206

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

The Art of Mac Malware

by Patrick Wardle

4 Nonbinary Analysis

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.