Endpoint //

Privacy

3/14/2018
04:36 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

New 'Mac-A-Mal' Tool Automates Mac Malware Hunting & Analysis

Researchers at Black Hat Asia will demonstrate a new framework they created for catching and studying Apple MacOS malware.

Malware targeting Windows machines still dominates the threat landscape, but hackers gradually have been expanding their target range to increasingly popular Apple MacOS platforms. A team of researchers now has created an automated MacOS malware analyzer that streamlines and simplifies the process of detecting and studying the growing ecosystem of malicious code targeting Macs.

MacOS research tools typically have relied on manual analysis of malware, notes Pham Duy Phuc, a malware analyst with Netherlands-based Sfylabs BV. Phuc says he first began developing the so-called Mac-A-Mal tool while pursuing his Master's Degree at the University of Trento in Italy.  

"There are tools for malware reverse-engineering, debugging, and malware analysis on Mac," including commercial tools like Hopper and IDA, and open-source tools like Radare2, MachO View, lldb, Otool, and Dtrace, Phuc noted in an email interview. But these tools mostly require manual analysis, which means the researcher also must have some know-how in order to use them.

"Each tool only solves one piece of the puzzle and it depends on experience of the researcher. Using these tools manually takes too much time and effort, and will never combat malicious software," said Phuc. "For a demand of thousands [of] malware per day, an automated framework with combination of useful tools would make malware analyst daily job easier."

Phuc and Fabio Massacci, his former professor at the University of Trento, will demonstrate Mac-A-Mal at Black Hat Asia in Singapore next week. The two also plan to soon release the tool as open-source.

[See researchers demonstrate Mac-A-Mal live at Black Hat Asia in Singapore next week, March 22-23: conference and registration information.]

 Mac-A-Mal uses a combination of static- and dynamic code analysis to detect MacOS malware, as well as to cheat anti-analysis methods that some malware authors use to evade detection and investigation. It gathers malware binary behavior patterns, such as network traffic, evasion methods, and file operation. The tool uses kernel-level system calls, which allows it to operate undetected. "It takes actual behavioral data of malware samples, executions, inside a sandbox," he said.

Half of Mac Malware = Backdoors

The researchers used the tool to parse some 2,000 Mac samples on VirusTotal, which led to the discovery of a previously unknown adware campaign that uses legitimate Apple developer certificates, keyloggers, and Trojans. They believe the adware operation is the handiwork of the APT32 aka OceanLotus group believed to be out of Vietnam, and it's targeting Chinese and Vietnamese organizations.

"By studying the first generation of Mac OceanLotus samples through our framework, we found some similar behavioral signatures amongst the family. In March 2017, we found a second generation of Mac APT32 which [has a] zero-detection rate over more than 50 antivirus vendors ... hunting those behaviors on VirusTotal," he said. That new variant is more advanced, he said.

Phuc says the team also discovered hundreds of other Mac malware samples that with manual tools would be difficult to identify, and nearly half of all Mac malware collected in 2017 on VirusTotal were backdoor Trojans. The majority of malware samples were adware, mostly OSX/Pirrit and OSX/MacKeeper. "We observed a total of 86 different Mac malware families until 2017, and 49% of them belongs to backdoor/Trojan" categories, he said.

Mac-A-Mal basically works like this: it finds MacOS malware and places the samples in a sandbox where it performs static analysis on multiple samples at the same time. "The sandbox is armored with network sniffer, system calls and behavior logging, as well as anti-evasion from kernel-mode to send back a report to analysis machine," Phuc explained.

Kernel-level monitoring has its advantages, according to Phuc. Namely it's a more complete view from the lower level of the operating system, while at the same time keeping Mac-A-Mal under cover from anti-analysis detection. Next up for Mac-A-Mal is machine learning capabilities: "We would like to later apply more robust and advanced techniques for better features extraction from the analysis, and machine learning for a larger scale of Mac samples," Phuc said.

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MelBrandle
50%
50%
MelBrandle,
User Rank: Apprentice
7/29/2018 | 4:06:30 AM
Re: I.WANT.THIS.
Hackers are growing in numbers and they know exactly which platforms are vulnerable enough to become their next target to hit. As much as we would like to update our systems at work and at home, we can never keep up with technology especially amidst our busy schedules. This makes us easy targets for hackers as they usually aim for the older versions of operating systems to hack into. However, usualy for personal usage, it is not much of a concern. Large corporations with so much data to share are usually the main target.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
3/16/2018 | 12:47:27 PM
Re: I.WANT.THIS.
I know they are hoping to release it soon, but I'm not clear it will be next week. 
SchemaCzar
50%
50%
SchemaCzar,
User Rank: Strategist
3/15/2018 | 9:46:40 AM
I.WANT.THIS.
This sounds like a great tool and a great asset.  I hope it becomes publicly available soon!
Microsoft President: Governments Must Cooperate on Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/8/2018
5 Reasons Why Threat Intelligence Doesn't Work
Jonathan Zhang, CEO/Founder of WhoisXML API and TIP,  11/7/2018
Why Password Management and Security Strategies Fall Short
Steve Zurier, Freelance Writer,  11/7/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-8584
PUBLISHED: 2018-11-14
An elevation of privilege vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC), aka "Windows ALPC Elevation of Privilege Vulnerability." This affects Windows Server 2016, Windows 10, Windows Server 2019, Windows 10 Servers.
CVE-2018-8588
PUBLISHED: 2018-11-14
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8541, CVE-2018-8...
CVE-2018-8589
PUBLISHED: 2018-11-14
An elevation of privilege vulnerability exists when Windows improperly handles calls to Win32k.sys, aka "Windows Win32k Elevation of Privilege Vulnerability." This affects Windows Server 2008, Windows 7, Windows Server 2008 R2.
CVE-2018-8592
PUBLISHED: 2018-11-14
An elevation of privilege vulnerability exists in Windows 10 version 1809 when installed from physical media (USB, DVD, etc, aka "Windows Elevation Of Privilege Vulnerability." This affects Windows 10, Windows Server 2019.
CVE-2018-8600
PUBLISHED: 2018-11-14
A Cross-site Scripting (XSS) vulnerability exists when Azure App Services on Azure Stack does not properly sanitize user provided input, aka "Azure App Service Cross-site Scripting Vulnerability." This affects Azure App.