book

The Art of Mac Malware

by Patrick Wardle

June 2022

Intermediate to advanced

328 pages

9h 1m

English

No Starch Press

Read now

Unlock full access

Who Should Read This Book?What You’ll Find in This BookA Note on Mac Malware TerminologyA Note on Safely Analyzing MalwareAdditional ResourcesBooks WebsitesDownloading This Book’s Malware SpecimensEndnotes
Mac ProtectionsMalicious EmailsFake Tech and Support Fake UpdatesFake ApplicationsTrojanized ApplicationsPirated and Cracked ApplicationsCustom URL SchemesOffice MacrosXcode ProjectsSupply Chain AttacksAccount Compromises of Remote ServicesExploitsPhysical AccessUp NextEndnotes
Login ItemsLaunch Agents and DaemonsScheduled Jobs and TasksCron JobsAt JobsPeriodic ScriptsLogin and Logout HooksDynamic LibrariesDYLD_* Environment VariablesDylib ProxyingDylib HijackingPlug-insScriptsEvent Monitor RulesReopened ApplicationsApplication and Binary ModificationsKnockKnock . . . Who’s There?Up NextEndnotes

Categorizing Mac Malware CapabilitiesSurvey and ReconnaissancePrivilege EscalationEscaping SandboxesGaining Root PrivilegesAdware-Related Hijacks and Injections Cryptocurrency MinersRemote ShellsRemote Process and Memory ExecutionRemote Download and UploadFile EncryptionStealthOther CapabilitiesUp NextEndnotes
Identifying File TypesExtracting Malicious Files from Distribution PackagingApple Disk Images (.dmg)Packages (.pkg)Analyzing ScriptsBash Shell ScriptsPython ScriptsAppleScriptPerl ScriptsMicrosoft Office DocumentsApplicationsUp NextEndnotes
The Mach-O File FormatThe HeaderThe Load CommandsThe Data SegmentClassifying Mach-O FilesHashesCode-Signing InformationStringsObjective-C Class Information“Nonbinary” BinariesIdentifying the Tool Used to Build the BinaryExtracting the Nonbinary ComponentUp NextEndnotes
Assembly Language BasicsRegisters Assembly InstructionsCalling ConventionsThe objc_msgSend FunctionDisassemblyObjective-C DisassemblySwift DisassemblyC/C++ DisassemblyControl Flow DisassemblyDecompilationReverse Engineering with HopperCreating a Binary to AnalyzeLoading the BinaryExploring the InterfaceViewing the DisassemblyChanging the Display Mode Up NextEndnotes
Process MonitoringThe ProcessMonitor UtilityFile MonitoringThe fs_usage UtilityThe FileMonitor UtilityNetwork MonitoringmacOS’s Network Status MonitorsThe Netiquette UtilityNetwork Traffic MonitorsUp NextEndnotes
Why You Need a DebuggerThe LLDB DebuggerStarting a Debugger SessionControlling ExecutionUsing BreakpointsExamining All the ThingsModifying Process StateLLDB ScriptingA Sample Debugging Session: Uncovering Hidden Cryptocurrency Mining Logic in an App Store ApplicationUp NextEndnotes
Anti-Static-Analysis ApproachesSensitive Strings Disguised as ConstantsEncrypted StringsLocating Obfuscated StringsFinding the Deobfuscation CodeString Deobfuscation via a Hopper ScriptForcing the Malware to Execute Its Decryption RoutineCode-Level Obfuscations Bypassing Packed Binary CodeDecrypting Encrypted BinariesAnti-Dynamic-Analysis ApproachesChecking the System Model NameCounting the System’s Logical and Physical CPUsChecking the System’s MAC AddressChecking System Integrity Protection StatusDetecting or Killing Specific Tools Detecting a DebuggerPreventing Debugging with ptraceBypassing Anti-Dynamic-Analysis LogicModifying the Execution EnvironmentPatching the Binary ImageModifying the Malware’s Instruction PointerModifying a Register ValueA Remaining Challenge: Environmentally Generated KeysUp NextEndnotes
The Infection VectorTriageConfirming the File TypeExtracting the ContentsExploring the PackageExtracting Embedded Information from the patch BinaryAnalyzing the Command Line Parameters--silent--noroot--ignrpAnalyzing Anti-Analysis LogicVirtual Machine–Thwarting Logic?Debugging-Thwarting LogicObfuscated StringsUp NextEndnotes
PersistenceKilling Unwanted ProcessesMaking Copies of ItselfPersisting the Copies as Launch ItemsStarting the Launch ItemsThe Repersistence LogicThe Local Viral Infection LogicListing Candidate Files for Infection Checking Whether to Infect Each FileInfecting Target FilesExecuting and Repersisting from Infected FilesExecuting the Infected File’s Original CodeThe Remote Communications LogicThe Mediator and Command and Control ServersRemote Tasking Logicreact_exec (0x1)react_save (0x2)react_start (0x4)react_keys (0x8)react_ping (0x10)react_host (0x20)react_scmd (0x40)The File Exfiltration LogicDirectory Listing ExfiltrationCertificate and Cryptocurrency File ExfiltrationFile Encryption LogicEvilQuest UpdatesBetter Anti-Analysis LogicModified Server AddressesA Longer List of Security Tools to TerminateNew Persistence PathsA Personal ShoutoutBetter FunctionsRemoved Ransomware LogicConclusionEndnotes

Content preview from The Art of Mac Malware

11 EvilQuest’s Persistence and Core Functionality Analysis

Now that we’ve triaged the EvilQuest specimen and thwarted its anti-analysis logic, we can continue our analysis. In this chapter we’ll detail the malware’s methods of persistence, which ensure it is automatically restarted each time an infected system is rebooted. Then we’ll dive into the myriad of capabilities supported by this insidious threat.

Persistence

In Chapter 10 you saw that the malware invokes what is likely a persistence-related function named ei_persistence_main. Let’s take a closer look at this function, which can be found at 0x000000010000b880. Listing 11-1 is a ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Start your free trial

Publisher Resources

ISBN: 9781098130206

The Art of Mac Malware

by Patrick Wardle

11 EvilQuest’s Persistence and Core Functionality Analysis

Persistence

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

You might also like