Dissecting Rotten Apples –

macOS Malware Analysis

Felix Seele

whoami

2

Felix Seele

• Technical Lead @ VMRay

• Developed first hypervisor-based

macOS sandbox

• Now part of the VMRay Analyzer

@c1truz_

Dissecting the Apple

3

1.

hyper

visor

4. real-world malware

behavior

4

1.

hyper

visor

Second-level page tables

Two-Dimensional Paging

5

Guest Virtual

Memory

Guest Physical

Memory

Host Physical

Memory

Virtual Machine

r-x r-x

Hypervisor

Second-level page tables

Two-Dimensional Paging

6

Guest Virtual

Memory

Guest Physical

Memory

Host Physical

Memory

Virtual Machine

r-x r--

Execution will cause

page fault and trap

to hypervisor!Hypervisor

Using TDP to monitor API calls

Two-Dimensional Paging

7

Evil.app Foundation.framework

libsystem_kernel.dylib

kernel

CFNetwork.framework

• Divide memory

regions into two sets:- Set A: Target

executable

- Set B: System libraries and kernel

Using TDP to monitor API calls

Two-Dimensional Paging

• Divide memory

regions into two sets:- Set A: Target

executable

- Set B: System libraries and kernel

• One of the sets is

executable, the other

non-executable

8

Evil.app Foundation.framework

libsystem_kernel.dylib

kernel

CFNetwork.framework

✗

Using TDP to monitor API calls

Two-Dimensional Paging

9

Evil.app Foundation.framework

libsystem_kernel.dylib

kernel

CFNetwork.framework

✗• Divide memory

regions into two sets:- Set A: Target

executable

- Set B: System libraries and kernel

• One of the sets is

executable, the other

non-executable

Virtual Machine Introspection

10

ProcessesVirtual Memory

Threads

Inter-Process Communication

Shared Libraries

Syscalls

11

1.

hyper

visor

macOS Architecture

12

Mach

BSDFilesystem

Networking

Scheduling

Virtual Memory

Kernel

Space

“XNU” IPC

...

IOKit kexts

macOS Architecture

13

Mach

BSDFilesystem

Networking

Scheduling

Virtual Memory

Core Frameworks/Libraries

Kernel

Space

“XNU”

User

Space Application Frameworks

Applications

syscall

IPC

...

IO Kit kexts

macOS Architecture

14

Mach

BSD

Core Frameworks/Libraries

User

Space Application Frameworks

Applications

IOKit kexts

open source

Kernel

Space

“XNU”

closed source

https://opensource.apple.com/

15

1..n

1..n

0..1 0..1

Mach

BSD

struct proc

pid_t p_pid

void *task

pid_t p_ppid

uid_t p_uid

...

struct task

uint32_t ref_count

boolean_t active

boolean_t halting

...

void *bsd_info

...

struct thread

...

void *uthread

...

uint64_t thread_id

...

struct uthread

...

struct proc *uu_proc;

thread_t uu_thread;

void * uu_userstate;

...

Mach Messages

16

MachScheduling

Virtual Memory

Kernel

Space

“XNU”

syscall

IPC

...

• IPC mechanism used in kernel and user space

• Opaque binary blob sent between two Mach Ports

• Mach Port is essentially a message queue

• Port rights define who can send and receive messages:- “Owner” of the port holds a receive right (only one)

- Senders need to hold a send right (0..n)

• Messages can also be complex:- Pass port right to another process

- Pass out-of-line data (often used for spraying in kernel exploits)

Mach Messages

17

• Mach kernel objects are accessed through ports:- task

- thread

- vm_map

- …

• Example:

Mach Messages – Kernel

18

task_t remoteTask;

task_for_pid(mach_task_self(), pid, &remoteTask);vm_protect(remoteTask, 0x41414141, 0x100, FALSE, VM_PROT_READ | VM_PROT_EXECUTE);

typedef mach_port_t task_t;

• Mach messages are also the foundation of user space IPC

• Multiple high-level frameworks to facilitate passing structured data (-> XPC)

Mach Messages – User Space

19

XPC messages

XPC-based

RPC

CFPort MIG

Mach messages

• Communication with system

daemons- Access the keychain

- Create persistent services

- …

• Communication between sandboxed

and privileged processes (sandbox

escapes anyone?)

Auditing and Exploiting Apple IPC (Ian Beer) https://thecyberwire.com/events/docs/IanBeer_JSS_Slides.pdf

• Security researchers: Mach messages and the frameworks on top are really complex

and many bugs have been found- Ian Beer „Auditing and Exploiting Apple IPC“ https://thecyberwire.com/events/docs/IanBeer_JSS_Slides.pdf

- Ian Beer „vm_map'ing out XNU Virtual Memory” https://objectivebythesea.com/v2/talks/OBTS_v2_Beer.pdf

- Linus Henze „KeySteal: A Vulnerability in Apple's Keychain“ https://objectivebythesea.com/v2/talks.html

- Liang Chen, Qidan He „Shooting the OS X El Capitan Kernel Like a Sniper“ https://recon.cx/2016/resources/slides/RECON-0xA-Shooting_the_OSX_El_Capitan_Kernel_Like_A_Sniper_Chen_He.pdf

• Malware analysis: A lot of relevant system functionality is implemented using Mach

messages under the hood (eg. installing persistent services, screen capture, …)

• Malware sandboxes: Need to monitor IPC communication to not miss behavior

Mach Messages – Why should we care?

20

21

1.

hyper

visor

• pid 1

• Every process has a send right to launchd (“bootstrap port”)

• Serves as a “registry” to look up Mach ports for registered services

launchd

22

mach_port_t bs_port, service_port;task_get_bootstrap_port(mach_task_self(), &bs_port);

// register servicebootstrap_check_in(bs_port, "com.example.service", &service_port);

// lookup servicebootstrap_look_up(bs_port, "com.example.service", &service_port);

• Responsible for starting other processes:- Background services (LaunchDaemons and LaunchAgents)

- Opening files/documents from Finder or other Applications

- On-demand (crash handler, on mount, on file modification, on connection, …)

• LaunchDaemons: Start at boot-time, no interaction

• LaunchAgents: Start at login-time, connected to the user’s session, may have GUI

• Service defined in plist (XML)

launchd

23

/System/Library/LaunchDaemons/ -- system

/Library/LaunchDaemons/ -- 3rd party

/System/Library/LaunchAgents -- system

/Library/LaunchAgents -- 3rd party (all users)

~/Library/LaunchAgents -- 3rd party (spec. user)

24

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN""http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict>

<key>Label</key><string>com.apple.updates</string>

<key>ProgramArguments</key><array>

<string>/Users/Shared/.local/kextd</string></array>

<key>KeepAlive</key><false/><key>RunAtLoad</key><true/><key>StandardErrorPath</key><string>/dev/null</string><key>StandardOutPath</key><string>/dev/null</string>

</dict></plist>

• Restricts abilities of the root user (root -> kernel priv. escalation)

• File system protection:- System directories like /bin, /sbin, /usr and /System are read-only

- Some applications can’t be deleted

• Runtime protections:- Can’t attach/inject into system processes

• Kernel extensions must be signed

• SIP can only be disabled by booting into recovery mode and running csrutil

System Integrity Protection (SIP)

25

Verify code signature of “quarantined” applications

Gatekeeper

26

Signed Unsigned

Verify code signature of “quarantined” applications

Gatekeeper

27

Also checks for known malware signatures (XProtect)

Gatekeeper

28

Also checks for known malware signatures (XProtect)

Gatekeeper

29

Apple’s built-in “AV”

XProtect

30

Gatekeeper Enhancements

31

Up to 10.14 “Mojave” 10.15 “Catalina”

Malicious content scanQuarantined files, opened

through FinderAll executables

Signature checksQuarantined files, opened

through FinderQuarantined files

Notarization - Required for quarantined files

Advances in macOS Security (WWDC 2019) https://developer.apple.com/videos/play/wwdc2019/701/

Another ”AV”?!?

Malware Removal Tool (MRT)

• Another tool to remove malware from already infected Macs- Not just malware (Zoom )

https://eclecticlight.co/2019/07/10/apple-has-pushed-an-update-to-mrt-to-remove-zooms-hidden-web-server/

• Signatures embedded in the binary

• Periodic scans as opposed to one-time scan (Gatekeeper)

32

33

1.

hyper

visor

4. real-world malware

behavior

Tools

Static:

• IDA, r2, Binary Ninja, Hopper

• strings, nm, file, lipo, otool, codesign

• jtool(2)

Dynamic:

• lldb

• dtrace (fs_usage, dtruss)

• frida

• Objective-See tools (BlockBlock,

procInfo, Lulu, …)

• Sandboxes

34

Binary format

The Basics

• Mach-O

• Magic: 0xfeedface (32 bit), 0xfeedfacf (64 bit), 0xcafebabe (fat)

• Structure:- Header (magic, supported architectures, flags, # load commands)

- Load commands

▪ Segments and sections

▪ Dynamic linking info

▪ Symbol table

▪ UUID

▪ Imported libraries

▪ Code signing info

▪ …

• Use favorite disassembler, otool or jtool to inspect Mach-O files

35https://github.com/aidansteele/osx-abi-macho-file-format-reference/blob/master/Mach-O_File_Format.pdf

Objective-C

The Basics

• Highly dynamic, object-oriented programming language

• Superset of C

36

NSProcessInfo *processInfo = [NSProcessInfo processInfo];NSString *username = [processInfo userName];

[username writeToFile:@"user.txt" atomically:YES];

NSLog(@"Content written to path: %@\n", filename);

classname selector (aka method)

1st parameter 2nd parameter

Objective-C

The Basics

• All classes and methods must be registered with runtime

• -> Need to be defined in symbol table :)

37

• Other common programming languages:

- Swift (MacSpy, Calisto, WindTail, EvilEgg)

- Bash (Shlayer)

- Python (LamePyre, DarthMiner, Dummy)

- Java (CrossRAT)

- C++, Qt (Mokes)

The Basics

38

• Adware family discovered in January 2019

• App disguised as fake flash installer

• Uses bash script instead of Mach-O executable to bypass codesigning requirements

OSX.Shlayer

39

1st and 2nd stage

OSX.Shlayer

40

3rd stage

OSX.Shlayer

41

-> usage of curl bypasses Gatekeeper (files are not quarantined)

Peeling back the 'Shlayers' of macOS Malware - https://objectivebythesea.com/v2/talks/OBTS_v2_Noerenberg_Watson.pdf

“Privilege Escalation”

Malware Behavior

• Password prompts -> just ask

42

Disguise as Apple service Fake prompt and store password

“Death by 1000 Installers” Patrick Wardle https://speakerdeck.com/patrickwardle/defcon-2017-death-by-1000-installers-its-all-broken

Anti Analysis

Malware Behavior

• String obfuscation

• Dynamic address resolution using dlopen and dlsym

• Deny debugging: ptrace(PT_DENY_ATTACH, 0, NULL, 0)

43

Anti Analysis

Malware Behavior

• Sandbox evasion (sleep, time checks)

• VM detection- Check number of cores

- Check for virtualization artifacts in hardware registry (IOReg)

- Check MAC address prefix

44

Anti Analysis

Malware Behavior

• Sleep evasion

• VM detection- Check number of cores

- Check for virtualization artifacts in hardware registry (IOReg)

- Check MAC prefix

• AV detection- Check for paths

- Check for running processes

• Packers- UPX (some samples use custom version)

- VMProtect

- custom packers (rare)

45

Anti Analysis

Malware Behavior

46

InstallCore

47

48

49

i=0x1

i=0x2

i=0x20

-> ascii encoded 128-bit decryption key?!

51

Decrypted entrypoint

52

Output of VMRay Analyzer:

"Never Before Had Stierlitz Been So Close To Failure" (Sergei Shevchenko) https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Shevchenko.pdf

• XNU’s hybrid architecture

• Built-in security is mostly useless (better in 10.15)

• macOS malware has become more sophisticated (but still lame in some regards)

• Many techniques known from Windows malware are being adapted

• Adware/PUAs are on the rise

Takeaways

53

Thank you for your attention!

• *OS Internals, Jonathan Levin - 1st edition now free! http://newosxbook.com/MOXiI.pdf

• https://objective-see.com/blog.html, Patrick Wardle

• Collection of papers and talks: https://papers.put.as/macosx/macosx/

• macOS-focused conference: https://objectivebythesea.com/

Resources: