book

The Art of Mac Malware

by Patrick Wardle

June 2022

Intermediate to advanced

328 pages

9h 1m

English

No Starch Press

Read now

Unlock full access

Who Should Read This Book?What You’ll Find in This BookA Note on Mac Malware TerminologyA Note on Safely Analyzing MalwareAdditional ResourcesBooks WebsitesDownloading This Book’s Malware SpecimensEndnotes
Mac ProtectionsMalicious EmailsFake Tech and Support Fake UpdatesFake ApplicationsTrojanized ApplicationsPirated and Cracked ApplicationsCustom URL SchemesOffice MacrosXcode ProjectsSupply Chain AttacksAccount Compromises of Remote ServicesExploitsPhysical AccessUp NextEndnotes
Login ItemsLaunch Agents and DaemonsScheduled Jobs and TasksCron JobsAt JobsPeriodic ScriptsLogin and Logout HooksDynamic LibrariesDYLD_* Environment VariablesDylib ProxyingDylib HijackingPlug-insScriptsEvent Monitor RulesReopened ApplicationsApplication and Binary ModificationsKnockKnock . . . Who’s There?Up NextEndnotes

Categorizing Mac Malware CapabilitiesSurvey and ReconnaissancePrivilege EscalationEscaping SandboxesGaining Root PrivilegesAdware-Related Hijacks and Injections Cryptocurrency MinersRemote ShellsRemote Process and Memory ExecutionRemote Download and UploadFile EncryptionStealthOther CapabilitiesUp NextEndnotes
Identifying File TypesExtracting Malicious Files from Distribution PackagingApple Disk Images (.dmg)Packages (.pkg)Analyzing ScriptsBash Shell ScriptsPython ScriptsAppleScriptPerl ScriptsMicrosoft Office DocumentsApplicationsUp NextEndnotes
The Mach-O File FormatThe HeaderThe Load CommandsThe Data SegmentClassifying Mach-O FilesHashesCode-Signing InformationStringsObjective-C Class Information“Nonbinary” BinariesIdentifying the Tool Used to Build the BinaryExtracting the Nonbinary ComponentUp NextEndnotes
Assembly Language BasicsRegisters Assembly InstructionsCalling ConventionsThe objc_msgSend FunctionDisassemblyObjective-C DisassemblySwift DisassemblyC/C++ DisassemblyControl Flow DisassemblyDecompilationReverse Engineering with HopperCreating a Binary to AnalyzeLoading the BinaryExploring the InterfaceViewing the DisassemblyChanging the Display Mode Up NextEndnotes
Process MonitoringThe ProcessMonitor UtilityFile MonitoringThe fs_usage UtilityThe FileMonitor UtilityNetwork MonitoringmacOS’s Network Status MonitorsThe Netiquette UtilityNetwork Traffic MonitorsUp NextEndnotes
Why You Need a DebuggerThe LLDB DebuggerStarting a Debugger SessionControlling ExecutionUsing BreakpointsExamining All the ThingsModifying Process StateLLDB ScriptingA Sample Debugging Session: Uncovering Hidden Cryptocurrency Mining Logic in an App Store ApplicationUp NextEndnotes
Anti-Static-Analysis ApproachesSensitive Strings Disguised as ConstantsEncrypted StringsLocating Obfuscated StringsFinding the Deobfuscation CodeString Deobfuscation via a Hopper ScriptForcing the Malware to Execute Its Decryption RoutineCode-Level Obfuscations Bypassing Packed Binary CodeDecrypting Encrypted BinariesAnti-Dynamic-Analysis ApproachesChecking the System Model NameCounting the System’s Logical and Physical CPUsChecking the System’s MAC AddressChecking System Integrity Protection StatusDetecting or Killing Specific Tools Detecting a DebuggerPreventing Debugging with ptraceBypassing Anti-Dynamic-Analysis LogicModifying the Execution EnvironmentPatching the Binary ImageModifying the Malware’s Instruction PointerModifying a Register ValueA Remaining Challenge: Environmentally Generated KeysUp NextEndnotes
The Infection VectorTriageConfirming the File TypeExtracting the ContentsExploring the PackageExtracting Embedded Information from the patch BinaryAnalyzing the Command Line Parameters--silent--noroot--ignrpAnalyzing Anti-Analysis LogicVirtual Machine–Thwarting Logic?Debugging-Thwarting LogicObfuscated StringsUp NextEndnotes
PersistenceKilling Unwanted ProcessesMaking Copies of ItselfPersisting the Copies as Launch ItemsStarting the Launch ItemsThe Repersistence LogicThe Local Viral Infection LogicListing Candidate Files for Infection Checking Whether to Infect Each FileInfecting Target FilesExecuting and Repersisting from Infected FilesExecuting the Infected File’s Original CodeThe Remote Communications LogicThe Mediator and Command and Control ServersRemote Tasking Logicreact_exec (0x1)react_save (0x2)react_start (0x4)react_keys (0x8)react_ping (0x10)react_host (0x20)react_scmd (0x40)The File Exfiltration LogicDirectory Listing ExfiltrationCertificate and Cryptocurrency File ExfiltrationFile Encryption LogicEvilQuest UpdatesBetter Anti-Analysis LogicModified Server AddressesA Longer List of Security Tools to TerminateNew Persistence PathsA Personal ShoutoutBetter FunctionsRemoved Ransomware LogicConclusionEndnotes

Content preview from The Art of Mac Malware

Part III Analyzing EvilQuest

It’s time to put the universal adage “practice makes perfect” into, well, practice. In Part III of this book, you’ll apply all that you’ve learned in Parts I and II to thoroughly analyze the intriguing Mac malware specimen known as EvilQuest. Discovered in the summer of 2020, this malware appeared at first blush to be little more than a run-of-the-mill piece of ransomware. However, further analysis uncovered something far more sophisticated.

You’ll get the most out of this section by following along and performing the analysis with me. First, make sure you’ve created a safe analysis environment; return to this book’s introduction for guidelines on doing so. Then download the EvilQuest specimen from Objective-See’s ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Start your free trial

Publisher Resources

ISBN: 9781098130206

The Art of Mac Malware

by Patrick Wardle

Part III Analyzing EvilQuest

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

You might also like