Endpoint //

Privacy

3/14/2018
04:36 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

New 'Mac-A-Mal' Tool Automates Mac Malware Hunting & Analysis

Researchers at Black Hat Asia will demonstrate a new framework they created for catching and studying Apple MacOS malware.

Malware targeting Windows machines still dominates the threat landscape, but hackers gradually have been expanding their target range to increasingly popular Apple MacOS platforms. A team of researchers now has created an automated MacOS malware analyzer that streamlines and simplifies the process of detecting and studying the growing ecosystem of malicious code targeting Macs.

MacOS research tools typically have relied on manual analysis of malware, notes Pham Duy Phuc, a malware analyst with Netherlands-based Sfylabs BV. Phuc says he first began developing the so-called Mac-A-Mal tool while pursuing his Master's Degree at the University of Trento in Italy.  

"There are tools for malware reverse-engineering, debugging, and malware analysis on Mac," including commercial tools like Hopper and IDA, and open-source tools like Radare2, MachO View, lldb, Otool, and Dtrace, Phuc noted in an email interview. But these tools mostly require manual analysis, which means the researcher also must have some know-how in order to use them.

"Each tool only solves one piece of the puzzle and it depends on experience of the researcher. Using these tools manually takes too much time and effort, and will never combat malicious software," said Phuc. "For a demand of thousands [of] malware per day, an automated framework with combination of useful tools would make malware analyst daily job easier."

Phuc and Fabio Massacci, his former professor at the University of Trento, will demonstrate Mac-A-Mal at Black Hat Asia in Singapore next week. The two also plan to soon release the tool as open-source.

[See researchers demonstrate Mac-A-Mal live at Black Hat Asia in Singapore next week, March 22-23: conference and registration information.]

 Mac-A-Mal uses a combination of static- and dynamic code analysis to detect MacOS malware, as well as to cheat anti-analysis methods that some malware authors use to evade detection and investigation. It gathers malware binary behavior patterns, such as network traffic, evasion methods, and file operation. The tool uses kernel-level system calls, which allows it to operate undetected. "It takes actual behavioral data of malware samples, executions, inside a sandbox," he said.

Half of Mac Malware = Backdoors

The researchers used the tool to parse some 2,000 Mac samples on VirusTotal, which led to the discovery of a previously unknown adware campaign that uses legitimate Apple developer certificates, keyloggers, and Trojans. They believe the adware operation is the handiwork of the APT32 aka OceanLotus group believed to be out of Vietnam, and it's targeting Chinese and Vietnamese organizations.

"By studying the first generation of Mac OceanLotus samples through our framework, we found some similar behavioral signatures amongst the family. In March 2017, we found a second generation of Mac APT32 which [has a] zero-detection rate over more than 50 antivirus vendors ... hunting those behaviors on VirusTotal," he said. That new variant is more advanced, he said.

Phuc says the team also discovered hundreds of other Mac malware samples that with manual tools would be difficult to identify, and nearly half of all Mac malware collected in 2017 on VirusTotal were backdoor Trojans. The majority of malware samples were adware, mostly OSX/Pirrit and OSX/MacKeeper. "We observed a total of 86 different Mac malware families until 2017, and 49% of them belongs to backdoor/Trojan" categories, he said.

Mac-A-Mal basically works like this: it finds MacOS malware and places the samples in a sandbox where it performs static analysis on multiple samples at the same time. "The sandbox is armored with network sniffer, system calls and behavior logging, as well as anti-evasion from kernel-mode to send back a report to analysis machine," Phuc explained.

Kernel-level monitoring has its advantages, according to Phuc. Namely it's a more complete view from the lower level of the operating system, while at the same time keeping Mac-A-Mal under cover from anti-analysis detection. Next up for Mac-A-Mal is machine learning capabilities: "We would like to later apply more robust and advanced techniques for better features extraction from the analysis, and machine learning for a larger scale of Mac samples," Phuc said.

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MelBrandle
50%
50%
MelBrandle,
User Rank: Apprentice
7/29/2018 | 4:06:30 AM
Re: I.WANT.THIS.
Hackers are growing in numbers and they know exactly which platforms are vulnerable enough to become their next target to hit. As much as we would like to update our systems at work and at home, we can never keep up with technology especially amidst our busy schedules. This makes us easy targets for hackers as they usually aim for the older versions of operating systems to hack into. However, usualy for personal usage, it is not much of a concern. Large corporations with so much data to share are usually the main target.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
3/16/2018 | 12:47:27 PM
Re: I.WANT.THIS.
I know they are hoping to release it soon, but I'm not clear it will be next week. 
SchemaCzar
50%
50%
SchemaCzar,
User Rank: Strategist
3/15/2018 | 9:46:40 AM
I.WANT.THIS.
This sounds like a great tool and a great asset.  I hope it becomes publicly available soon!
New Cold Boot Attack Gives Hackers the Keys to PCs, Macs
Kelly Sheridan, Staff Editor, Dark Reading,  9/13/2018
Yahoo Class-Action Suits Set for Settlement
Dark Reading Staff 9/17/2018
RDP Ports Prove Hot Commodities on the Dark Web
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17182
PUBLISHED: 2018-09-19
An issue was discovered in the Linux kernel through 4.18.8. The vmacache_flush_all function in mm/vmacache.c mishandles sequence number overflows. An attacker can trigger a use-after-free (and possibly gain privileges) via certain thread creation, map, unmap, invalidation, and dereference operations...
CVE-2018-17144
PUBLISHED: 2018-09-19
Bitcoin Core 0.14.x before 0.14.3, 0.15.x before 0.15.2, and 0.16.x before 0.16.3 and Bitcoin Knots 0.14.x through 0.16.x before 0.16.3 allow a remote denial of service (application crash) exploitable by miners via duplicate input. An attacker can make bitcoind or Bitcoin-Qt crash.
CVE-2017-3912
PUBLISHED: 2018-09-18
Bypassing password security vulnerability in McAfee Application and Change Control (MACC) 7.0.1 and 6.2.0 allows authenticated users to perform arbitrary command execution via a command-line utility.
CVE-2018-6690
PUBLISHED: 2018-09-18
Accessing, modifying, or executing executable files vulnerability in Microsoft Windows client in McAfee Application and Change Control (MACC) 8.0.0 Hotfix 4 and earlier allows authenticated users to execute arbitrary code via file transfer from external system.
CVE-2018-6693
PUBLISHED: 2018-09-18
An unprivileged user can delete arbitrary files on a Linux system running ENSLTP 10.5.1, 10.5.0, and 10.2.3 Hotfix 1246778 and earlier. By exploiting a time of check to time of use (TOCTOU) race condition during a specific scanning sequence, the unprivileged user is able to perform a privilege escal...