book

The Art of Mac Malware

by Patrick Wardle

June 2022

Intermediate to advanced

328 pages

9h 1m

English

No Starch Press

Read now

Unlock full access

Who Should Read This Book?What You’ll Find in This BookA Note on Mac Malware TerminologyA Note on Safely Analyzing MalwareAdditional ResourcesBooks WebsitesDownloading This Book’s Malware SpecimensEndnotes
Mac ProtectionsMalicious EmailsFake Tech and Support Fake UpdatesFake ApplicationsTrojanized ApplicationsPirated and Cracked ApplicationsCustom URL SchemesOffice MacrosXcode ProjectsSupply Chain AttacksAccount Compromises of Remote ServicesExploitsPhysical AccessUp NextEndnotes
Login ItemsLaunch Agents and DaemonsScheduled Jobs and TasksCron JobsAt JobsPeriodic ScriptsLogin and Logout HooksDynamic LibrariesDYLD_* Environment VariablesDylib ProxyingDylib HijackingPlug-insScriptsEvent Monitor RulesReopened ApplicationsApplication and Binary ModificationsKnockKnock . . . Who’s There?Up NextEndnotes

Categorizing Mac Malware CapabilitiesSurvey and ReconnaissancePrivilege EscalationEscaping SandboxesGaining Root PrivilegesAdware-Related Hijacks and Injections Cryptocurrency MinersRemote ShellsRemote Process and Memory ExecutionRemote Download and UploadFile EncryptionStealthOther CapabilitiesUp NextEndnotes
Identifying File TypesExtracting Malicious Files from Distribution PackagingApple Disk Images (.dmg)Packages (.pkg)Analyzing ScriptsBash Shell ScriptsPython ScriptsAppleScriptPerl ScriptsMicrosoft Office DocumentsApplicationsUp NextEndnotes
The Mach-O File FormatThe HeaderThe Load CommandsThe Data SegmentClassifying Mach-O FilesHashesCode-Signing InformationStringsObjective-C Class Information“Nonbinary” BinariesIdentifying the Tool Used to Build the BinaryExtracting the Nonbinary ComponentUp NextEndnotes
Assembly Language BasicsRegisters Assembly InstructionsCalling ConventionsThe objc_msgSend FunctionDisassemblyObjective-C DisassemblySwift DisassemblyC/C++ DisassemblyControl Flow DisassemblyDecompilationReverse Engineering with HopperCreating a Binary to AnalyzeLoading the BinaryExploring the InterfaceViewing the DisassemblyChanging the Display Mode Up NextEndnotes
Process MonitoringThe ProcessMonitor UtilityFile MonitoringThe fs_usage UtilityThe FileMonitor UtilityNetwork MonitoringmacOS’s Network Status MonitorsThe Netiquette UtilityNetwork Traffic MonitorsUp NextEndnotes
Why You Need a DebuggerThe LLDB DebuggerStarting a Debugger SessionControlling ExecutionUsing BreakpointsExamining All the ThingsModifying Process StateLLDB ScriptingA Sample Debugging Session: Uncovering Hidden Cryptocurrency Mining Logic in an App Store ApplicationUp NextEndnotes
Anti-Static-Analysis ApproachesSensitive Strings Disguised as ConstantsEncrypted StringsLocating Obfuscated StringsFinding the Deobfuscation CodeString Deobfuscation via a Hopper ScriptForcing the Malware to Execute Its Decryption RoutineCode-Level Obfuscations Bypassing Packed Binary CodeDecrypting Encrypted BinariesAnti-Dynamic-Analysis ApproachesChecking the System Model NameCounting the System’s Logical and Physical CPUsChecking the System’s MAC AddressChecking System Integrity Protection StatusDetecting or Killing Specific Tools Detecting a DebuggerPreventing Debugging with ptraceBypassing Anti-Dynamic-Analysis LogicModifying the Execution EnvironmentPatching the Binary ImageModifying the Malware’s Instruction PointerModifying a Register ValueA Remaining Challenge: Environmentally Generated KeysUp NextEndnotes
The Infection VectorTriageConfirming the File TypeExtracting the ContentsExploring the PackageExtracting Embedded Information from the patch BinaryAnalyzing the Command Line Parameters--silent--noroot--ignrpAnalyzing Anti-Analysis LogicVirtual Machine–Thwarting Logic?Debugging-Thwarting LogicObfuscated StringsUp NextEndnotes
PersistenceKilling Unwanted ProcessesMaking Copies of ItselfPersisting the Copies as Launch ItemsStarting the Launch ItemsThe Repersistence LogicThe Local Viral Infection LogicListing Candidate Files for Infection Checking Whether to Infect Each FileInfecting Target FilesExecuting and Repersisting from Infected FilesExecuting the Infected File’s Original CodeThe Remote Communications LogicThe Mediator and Command and Control ServersRemote Tasking Logicreact_exec (0x1)react_save (0x2)react_start (0x4)react_keys (0x8)react_ping (0x10)react_host (0x20)react_scmd (0x40)The File Exfiltration LogicDirectory Listing ExfiltrationCertificate and Cryptocurrency File ExfiltrationFile Encryption LogicEvilQuest UpdatesBetter Anti-Analysis LogicModified Server AddressesA Longer List of Security Tools to TerminateNew Persistence PathsA Personal ShoutoutBetter FunctionsRemoved Ransomware LogicConclusionEndnotes

Content preview from The Art of Mac Malware

Part II Mac Malware Analysis

Now that you understand Mac malware’s infection vectors, persistence mechanisms, and capabilities, let’s discuss how you can effectively analyze malicious samples. We’ll cover both static and dynamic approaches:

Static Analysis: The examination of a sample without executing it. This approach leverages various tools that can statically extract information from a sample. Often, the analysis culminates with the use of a disassembler or decompiler.
Dynamic Analysis: The examination of a sample during its execution. This approach most commonly leverages passive monitoring tools, though it might employ more powerful tools, such as a debugger, as well.

Using these analysis techniques, we’ll determine whether a sample ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Start your free trial

The Art of Mac Malware, Volume 2

Patrick Wardle

The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory

AAron Walters, Jamie Levy, Andrew Case, Michael Hale Ligh

Evasive Malware

Kyle Cucci

Malware Analysis Techniques

Dylan Barker

Publisher Resources

ISBN: 9781098130206