Dissecting Rotten Apples –
macOS Malware Analysis
Felix Seele
whoami
2
Felix Seele
• Technical Lead @ VMRay
• Developed first hypervisor-based
macOS sandbox
• Now part of the VMRay Analyzer
@c1truz_
Dissecting the Apple
3
1.
hyper
visor
4. real-world malware
behavior
4
1.
hyper
visor
Second-level page tables
Two-Dimensional Paging
5
Guest Virtual
Memory
Guest Physical
Memory
Host Physical
Memory
Virtual Machine
r-x r-x
Hypervisor
Second-level page tables
Two-Dimensional Paging
6
Guest Virtual
Memory
Guest Physical
Memory
Host Physical
Memory
Virtual Machine
r-x r--
Execution will cause
page fault and trap
to hypervisor!Hypervisor
Using TDP to monitor API calls
Two-Dimensional Paging
7
Evil.app Foundation.framework
libsystem_kernel.dylib
kernel
CFNetwork.framework
• Divide memory
regions into two sets:- Set A: Target
executable
- Set B: System libraries and kernel
Using TDP to monitor API calls
Two-Dimensional Paging
• Divide memory
regions into two sets:- Set A: Target
executable
- Set B: System libraries and kernel
• One of the sets is
executable, the other
non-executable
8
Evil.app Foundation.framework
libsystem_kernel.dylib
kernel
CFNetwork.framework
✗
Using TDP to monitor API calls
Two-Dimensional Paging
9
Evil.app Foundation.framework
libsystem_kernel.dylib
kernel
CFNetwork.framework
✗• Divide memory
regions into two sets:- Set A: Target
executable
- Set B: System libraries and kernel
• One of the sets is
executable, the other
non-executable
Virtual Machine Introspection
10
ProcessesVirtual Memory
Threads
Inter-Process Communication
Shared Libraries
Syscalls
11
1.
hyper
visor
macOS Architecture
12
Mach
BSDFilesystem
Networking
Scheduling
Virtual Memory
Kernel
Space
“XNU” IPC
...
IOKit kexts
macOS Architecture
13
Mach
BSDFilesystem
Networking
Scheduling
Virtual Memory
Core Frameworks/Libraries
Kernel
Space
“XNU”
User
Space Application Frameworks
Applications
syscall
IPC
...
IO Kit kexts
macOS Architecture
14
Mach
BSD
Core Frameworks/Libraries
User
Space Application Frameworks
Applications
IOKit kexts
open source
Kernel
Space
“XNU”
closed source
https://opensource.apple.com/
15
1..n
1..n
0..1 0..1
Mach
BSD
struct proc
pid_t p_pid
void *task
pid_t p_ppid
uid_t p_uid
...
struct task
uint32_t ref_count
boolean_t active
boolean_t halting
...
void *bsd_info
...
struct thread
...
void *uthread
...
uint64_t thread_id
...
struct uthread
...
struct proc *uu_proc;
thread_t uu_thread;
void * uu_userstate;
...
Mach Messages
16
MachScheduling
Virtual Memory
Kernel
Space
“XNU”
syscall
IPC
...
• IPC mechanism used in kernel and user space
• Opaque binary blob sent between two Mach Ports
• Mach Port is essentially a message queue
• Port rights define who can send and receive messages:- “Owner” of the port holds a receive right (only one)
- Senders need to hold a send right (0..n)
• Messages can also be complex:- Pass port right to another process
- Pass out-of-line data (often used for spraying in kernel exploits)
Mach Messages
17
• Mach kernel objects are accessed through ports:- task
- thread
- vm_map
- …
• Example:
Mach Messages – Kernel
18
task_t remoteTask;
task_for_pid(mach_task_self(), pid, &remoteTask);vm_protect(remoteTask, 0x41414141, 0x100, FALSE, VM_PROT_READ | VM_PROT_EXECUTE);
typedef mach_port_t task_t;
• Mach messages are also the foundation of user space IPC
• Multiple high-level frameworks to facilitate passing structured data (-> XPC)
Mach Messages – User Space
19
XPC messages
XPC-based
RPC
CFPort MIG
Mach messages
• Communication with system
daemons- Access the keychain
- Create persistent services
- …
• Communication between sandboxed
and privileged processes (sandbox
escapes anyone?)
Auditing and Exploiting Apple IPC (Ian Beer) https://thecyberwire.com/events/docs/IanBeer_JSS_Slides.pdf
• Security researchers: Mach messages and the frameworks on top are really complex
and many bugs have been found- Ian Beer „Auditing and Exploiting Apple IPC“ https://thecyberwire.com/events/docs/IanBeer_JSS_Slides.pdf
- Ian Beer „vm_map'ing out XNU Virtual Memory” https://objectivebythesea.com/v2/talks/OBTS_v2_Beer.pdf
- Linus Henze „KeySteal: A Vulnerability in Apple's Keychain“ https://objectivebythesea.com/v2/talks.html
- Liang Chen, Qidan He „Shooting the OS X El Capitan Kernel Like a Sniper“ https://recon.cx/2016/resources/slides/RECON-0xA-Shooting_the_OSX_El_Capitan_Kernel_Like_A_Sniper_Chen_He.pdf
• Malware analysis: A lot of relevant system functionality is implemented using Mach
messages under the hood (eg. installing persistent services, screen capture, …)
• Malware sandboxes: Need to monitor IPC communication to not miss behavior
Mach Messages – Why should we care?
20
21
1.
hyper
visor
• pid 1
• Every process has a send right to launchd (“bootstrap port”)
• Serves as a “registry” to look up Mach ports for registered services
launchd
22
mach_port_t bs_port, service_port;task_get_bootstrap_port(mach_task_self(), &bs_port);
// register servicebootstrap_check_in(bs_port, "com.example.service", &service_port);
// lookup servicebootstrap_look_up(bs_port, "com.example.service", &service_port);
• Responsible for starting other processes:- Background services (LaunchDaemons and LaunchAgents)
- Opening files/documents from Finder or other Applications
- On-demand (crash handler, on mount, on file modification, on connection, …)
• LaunchDaemons: Start at boot-time, no interaction
• LaunchAgents: Start at login-time, connected to the user’s session, may have GUI
• Service defined in plist (XML)
launchd
23
/System/Library/LaunchDaemons/ -- system
/Library/LaunchDaemons/ -- 3rd party
/System/Library/LaunchAgents -- system
/Library/LaunchAgents -- 3rd party (all users)
~/Library/LaunchAgents -- 3rd party (spec. user)
24
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN""http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict>
<key>Label</key><string>com.apple.updates</string>
<key>ProgramArguments</key><array>
<string>/Users/Shared/.local/kextd</string></array>
<key>KeepAlive</key><false/><key>RunAtLoad</key><true/><key>StandardErrorPath</key><string>/dev/null</string><key>StandardOutPath</key><string>/dev/null</string>
</dict></plist>
• Restricts abilities of the root user (root -> kernel priv. escalation)
• File system protection:- System directories like /bin, /sbin, /usr and /System are read-only
- Some applications can’t be deleted
• Runtime protections:- Can’t attach/inject into system processes
• Kernel extensions must be signed
• SIP can only be disabled by booting into recovery mode and running csrutil
System Integrity Protection (SIP)
25
Verify code signature of “quarantined” applications
Gatekeeper
26
Signed Unsigned
Verify code signature of “quarantined” applications
Gatekeeper
27
Also checks for known malware signatures (XProtect)
Gatekeeper
28
Also checks for known malware signatures (XProtect)
Gatekeeper
29
Apple’s built-in “AV”
XProtect
30
Gatekeeper Enhancements
31
Up to 10.14 “Mojave” 10.15 “Catalina”
Malicious content scanQuarantined files, opened
through FinderAll executables
Signature checksQuarantined files, opened
through FinderQuarantined files
Notarization - Required for quarantined files
Advances in macOS Security (WWDC 2019) https://developer.apple.com/videos/play/wwdc2019/701/
Another ”AV”?!?
Malware Removal Tool (MRT)
• Another tool to remove malware from already infected Macs- Not just malware (Zoom )
https://eclecticlight.co/2019/07/10/apple-has-pushed-an-update-to-mrt-to-remove-zooms-hidden-web-server/
• Signatures embedded in the binary
• Periodic scans as opposed to one-time scan (Gatekeeper)
32
33
1.
hyper
visor
4. real-world malware
behavior
Tools
Static:
• IDA, r2, Binary Ninja, Hopper
• strings, nm, file, lipo, otool, codesign
• jtool(2)
Dynamic:
• lldb
• dtrace (fs_usage, dtruss)
• frida
• Objective-See tools (BlockBlock,
procInfo, Lulu, …)
• Sandboxes
34
Binary format
The Basics
• Mach-O
• Magic: 0xfeedface (32 bit), 0xfeedfacf (64 bit), 0xcafebabe (fat)
• Structure:- Header (magic, supported architectures, flags, # load commands)
- Load commands
▪ Segments and sections
▪ Dynamic linking info
▪ Symbol table
▪ UUID
▪ Imported libraries
▪ Code signing info
▪ …
• Use favorite disassembler, otool or jtool to inspect Mach-O files
35https://github.com/aidansteele/osx-abi-macho-file-format-reference/blob/master/Mach-O_File_Format.pdf
Objective-C
The Basics
• Highly dynamic, object-oriented programming language
• Superset of C
36
NSProcessInfo *processInfo = [NSProcessInfo processInfo];NSString *username = [processInfo userName];
[username writeToFile:@"user.txt" atomically:YES];
NSLog(@"Content written to path: %@\n", filename);
classname selector (aka method)
1st parameter 2nd parameter
Objective-C
The Basics
• All classes and methods must be registered with runtime
• -> Need to be defined in symbol table :)
37
• Other common programming languages:
- Swift (MacSpy, Calisto, WindTail, EvilEgg)
- Bash (Shlayer)
- Python (LamePyre, DarthMiner, Dummy)
- Java (CrossRAT)
- C++, Qt (Mokes)
The Basics
38
• Adware family discovered in January 2019
• App disguised as fake flash installer
• Uses bash script instead of Mach-O executable to bypass codesigning requirements
OSX.Shlayer
39
1st and 2nd stage
OSX.Shlayer
40
3rd stage
OSX.Shlayer
41
-> usage of curl bypasses Gatekeeper (files are not quarantined)
Peeling back the 'Shlayers' of macOS Malware - https://objectivebythesea.com/v2/talks/OBTS_v2_Noerenberg_Watson.pdf
“Privilege Escalation”
Malware Behavior
• Password prompts -> just ask
42
Disguise as Apple service Fake prompt and store password
“Death by 1000 Installers” Patrick Wardle https://speakerdeck.com/patrickwardle/defcon-2017-death-by-1000-installers-its-all-broken
Anti Analysis
Malware Behavior
• String obfuscation
• Dynamic address resolution using dlopen and dlsym
• Deny debugging: ptrace(PT_DENY_ATTACH, 0, NULL, 0)
43
Anti Analysis
Malware Behavior
• Sandbox evasion (sleep, time checks)
• VM detection- Check number of cores
- Check for virtualization artifacts in hardware registry (IOReg)
- Check MAC address prefix
44
Anti Analysis
Malware Behavior
• Sleep evasion
• VM detection- Check number of cores
- Check for virtualization artifacts in hardware registry (IOReg)
- Check MAC prefix
• AV detection- Check for paths
- Check for running processes
• Packers- UPX (some samples use custom version)
- VMProtect
- custom packers (rare)
45
Anti Analysis
Malware Behavior
46
InstallCore
47
48
49
i=0x1
i=0x2
i=0x20
-> ascii encoded 128-bit decryption key?!
51
Decrypted entrypoint
52
Output of VMRay Analyzer:
"Never Before Had Stierlitz Been So Close To Failure" (Sergei Shevchenko) https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Shevchenko.pdf
• XNU’s hybrid architecture
• Built-in security is mostly useless (better in 10.15)
• macOS malware has become more sophisticated (but still lame in some regards)
• Many techniques known from Windows malware are being adapted
• Adware/PUAs are on the rise
Takeaways
53
Thank you for your attention!
• *OS Internals, Jonathan Levin - 1st edition now free! http://newosxbook.com/MOXiI.pdf
• https://objective-see.com/blog.html, Patrick Wardle
• Collection of papers and talks: https://papers.put.as/macosx/macosx/
• macOS-focused conference: https://objectivebythesea.com/
Resources: