If you like the website, feel free to: Buy Me a Coffee at ko-fi.com

BruCON


City Ghent
Province East Flanders
Country BE
Twitter @brucon
Website https://2018.brucon.org/index.php/Main_Page
CFP Deadline April 30, 2018, 11:55 p.m.

Details

A few years ago Mac users were confident about their security. This wasn’t due to macOS being secure but rather because of the lack of malware targeting the platform [1]. Since then, however, the situation has changed quite drastically.

According to Malwarebytes’ research [2], Mac malware saw an increase of 270% between 2016 and 2017. Having entered 2018 the malware evolution has continued and new samples are now constantly being discovered. While the malware threat for Mac is getting more serious, the need for automated analysis and emulation increases as well.

Today we can already find various solutions for MacOS sample emulation [3]. However, we are often only exposed to the emulation results as users, and not to the underlying technology itself. The process of creating such an environment is usually kept behind the scenes. In our presentation we will try to fill this gap and describe how to create a complete emulation environment for Mac malware samples built on top of Cuckoo sandbox.

Starting with the legal issues and problems when choosing a hypervisor, we will present the pros and cons of VirtualBox, followed by the important changes made in Cuckoo to support more efficient scalability. We will also shed some light on common pitfalls as well as the implementation details of the modules responsible for running various kinds of samples - Mach-O executable, App package, DMG, PKG installer.

As expected, any sandbox system opens the door for evasion and analysis environment detection. With plenty of experience in successful mitigation of evasion tricks in Windows [4], we will transfer our knowledge to the Mac platform. We will discuss evasion techniques as well as possible counter-measures. Although fairly trivial in their nature, it turns out there are quite a few evasion techniques that demand sophisticated solutions in order to defeat them.

Joining all of these elements together, we can create a complete emulation environment for Mac malware. Such a system allows us to automate the analysis and discovery of MacOS malware, by quickly revealing malicious behavior without having to dig into manual analysis, while providing a framework for more advanced mitigation techniques.

[1] https://eugene.kaspersky.com/2014/09/29/the-evolution-of-os-x-malware/
[2] https://blog.malwarebytes.com/101/2018/03/the-state-of-mac-malware/
[3] https://www.blackhat.com/docs/asia-18/asia-18-Phuc-Mac-A-Mal-An%20Automated%20Framework%20for%20Mac%20Malware%20Hunting.pdf
[4] https://github.com/CheckPointSW/InviZzzible