book

The Art of Mac Malware

by Patrick Wardle

June 2022

Intermediate to advanced

328 pages

9h 1m

English

No Starch Press

Read now

Unlock full access

Who Should Read This Book?What You’ll Find in This BookA Note on Mac Malware TerminologyA Note on Safely Analyzing MalwareAdditional ResourcesBooks WebsitesDownloading This Book’s Malware SpecimensEndnotes
Mac ProtectionsMalicious EmailsFake Tech and Support Fake UpdatesFake ApplicationsTrojanized ApplicationsPirated and Cracked ApplicationsCustom URL SchemesOffice MacrosXcode ProjectsSupply Chain AttacksAccount Compromises of Remote ServicesExploitsPhysical AccessUp NextEndnotes
Login ItemsLaunch Agents and DaemonsScheduled Jobs and TasksCron JobsAt JobsPeriodic ScriptsLogin and Logout HooksDynamic LibrariesDYLD_* Environment VariablesDylib ProxyingDylib HijackingPlug-insScriptsEvent Monitor RulesReopened ApplicationsApplication and Binary ModificationsKnockKnock . . . Who’s There?Up NextEndnotes

Categorizing Mac Malware CapabilitiesSurvey and ReconnaissancePrivilege EscalationEscaping SandboxesGaining Root PrivilegesAdware-Related Hijacks and Injections Cryptocurrency MinersRemote ShellsRemote Process and Memory ExecutionRemote Download and UploadFile EncryptionStealthOther CapabilitiesUp NextEndnotes
Identifying File TypesExtracting Malicious Files from Distribution PackagingApple Disk Images (.dmg)Packages (.pkg)Analyzing ScriptsBash Shell ScriptsPython ScriptsAppleScriptPerl ScriptsMicrosoft Office DocumentsApplicationsUp NextEndnotes
The Mach-O File FormatThe HeaderThe Load CommandsThe Data SegmentClassifying Mach-O FilesHashesCode-Signing InformationStringsObjective-C Class Information“Nonbinary” BinariesIdentifying the Tool Used to Build the BinaryExtracting the Nonbinary ComponentUp NextEndnotes
Assembly Language BasicsRegisters Assembly InstructionsCalling ConventionsThe objc_msgSend FunctionDisassemblyObjective-C DisassemblySwift DisassemblyC/C++ DisassemblyControl Flow DisassemblyDecompilationReverse Engineering with HopperCreating a Binary to AnalyzeLoading the BinaryExploring the InterfaceViewing the DisassemblyChanging the Display Mode Up NextEndnotes
Process MonitoringThe ProcessMonitor UtilityFile MonitoringThe fs_usage UtilityThe FileMonitor UtilityNetwork MonitoringmacOS’s Network Status MonitorsThe Netiquette UtilityNetwork Traffic MonitorsUp NextEndnotes
Why You Need a DebuggerThe LLDB DebuggerStarting a Debugger SessionControlling ExecutionUsing BreakpointsExamining All the ThingsModifying Process StateLLDB ScriptingA Sample Debugging Session: Uncovering Hidden Cryptocurrency Mining Logic in an App Store ApplicationUp NextEndnotes
Anti-Static-Analysis ApproachesSensitive Strings Disguised as ConstantsEncrypted StringsLocating Obfuscated StringsFinding the Deobfuscation CodeString Deobfuscation via a Hopper ScriptForcing the Malware to Execute Its Decryption RoutineCode-Level Obfuscations Bypassing Packed Binary CodeDecrypting Encrypted BinariesAnti-Dynamic-Analysis ApproachesChecking the System Model NameCounting the System’s Logical and Physical CPUsChecking the System’s MAC AddressChecking System Integrity Protection StatusDetecting or Killing Specific Tools Detecting a DebuggerPreventing Debugging with ptraceBypassing Anti-Dynamic-Analysis LogicModifying the Execution EnvironmentPatching the Binary ImageModifying the Malware’s Instruction PointerModifying a Register ValueA Remaining Challenge: Environmentally Generated KeysUp NextEndnotes
The Infection VectorTriageConfirming the File TypeExtracting the ContentsExploring the PackageExtracting Embedded Information from the patch BinaryAnalyzing the Command Line Parameters--silent--noroot--ignrpAnalyzing Anti-Analysis LogicVirtual Machine–Thwarting Logic?Debugging-Thwarting LogicObfuscated StringsUp NextEndnotes
PersistenceKilling Unwanted ProcessesMaking Copies of ItselfPersisting the Copies as Launch ItemsStarting the Launch ItemsThe Repersistence LogicThe Local Viral Infection LogicListing Candidate Files for Infection Checking Whether to Infect Each FileInfecting Target FilesExecuting and Repersisting from Infected FilesExecuting the Infected File’s Original CodeThe Remote Communications LogicThe Mediator and Command and Control ServersRemote Tasking Logicreact_exec (0x1)react_save (0x2)react_start (0x4)react_keys (0x8)react_ping (0x10)react_host (0x20)react_scmd (0x40)The File Exfiltration LogicDirectory Listing ExfiltrationCertificate and Cryptocurrency File ExfiltrationFile Encryption LogicEvilQuest UpdatesBetter Anti-Analysis LogicModified Server AddressesA Longer List of Security Tools to TerminateNew Persistence PathsA Personal ShoutoutBetter FunctionsRemoved Ransomware LogicConclusionEndnotes

Content preview from The Art of Mac Malware

10 EvilQuest’s Infection, Triage, and Deobfuscation

EvilQuest is a complex Mac malware specimen. Because it employs anti-analysis logic, a viral persistence mechanism, and insidious payloads, it’s practically begging to be analyzed. Let’s apply the skills you’ve gained from this book to do just that!

This chapter begins our comprehensive analysis of the malware by detailing its infection vector, triaging its binary, and identifying its anti-analysis logic. Chapter 11 will continue our analysis by covering the malware’s methods of persistence and its myriad of capabilities.

The Infection Vector

Much like a biological virus, identifying ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Start your free trial

Publisher Resources

ISBN: 9781098130206

The Art of Mac Malware

by Patrick Wardle

10 EvilQuest’s Infection, Triage, and Deobfuscation

The Infection Vector

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

You might also like