Endpoint //

Privacy

3/14/2018
04:36 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

New 'Mac-A-Mal' Tool Automates Mac Malware Hunting & Analysis

Researchers at Black Hat Asia will demonstrate a new framework they created for catching and studying Apple MacOS malware.

Malware targeting Windows machines still dominates the threat landscape, but hackers gradually have been expanding their target range to increasingly popular Apple MacOS platforms. A team of researchers now has created an automated MacOS malware analyzer that streamlines and simplifies the process of detecting and studying the growing ecosystem of malicious code targeting Macs.

MacOS research tools typically have relied on manual analysis of malware, notes Pham Duy Phuc, a malware analyst with Netherlands-based Sfylabs BV. Phuc says he first began developing the so-called Mac-A-Mal tool while pursuing his Master's Degree at the University of Trento in Italy.  

"There are tools for malware reverse-engineering, debugging, and malware analysis on Mac," including commercial tools like Hopper and IDA, and open-source tools like Radare2, MachO View, lldb, Otool, and Dtrace, Phuc noted in an email interview. But these tools mostly require manual analysis, which means the researcher also must have some know-how in order to use them.

"Each tool only solves one piece of the puzzle and it depends on experience of the researcher. Using these tools manually takes too much time and effort, and will never combat malicious software," said Phuc. "For a demand of thousands [of] malware per day, an automated framework with combination of useful tools would make malware analyst daily job easier."

Phuc and Fabio Massacci, his former professor at the University of Trento, will demonstrate Mac-A-Mal at Black Hat Asia in Singapore next week. The two also plan to soon release the tool as open-source.

[See researchers demonstrate Mac-A-Mal live at Black Hat Asia in Singapore next week, March 22-23: conference and registration information.]

 Mac-A-Mal uses a combination of static- and dynamic code analysis to detect MacOS malware, as well as to cheat anti-analysis methods that some malware authors use to evade detection and investigation. It gathers malware binary behavior patterns, such as network traffic, evasion methods, and file operation. The tool uses kernel-level system calls, which allows it to operate undetected. "It takes actual behavioral data of malware samples, executions, inside a sandbox," he said.

Half of Mac Malware = Backdoors

The researchers used the tool to parse some 2,000 Mac samples on VirusTotal, which led to the discovery of a previously unknown adware campaign that uses legitimate Apple developer certificates, keyloggers, and Trojans. They believe the adware operation is the handiwork of the APT32 aka OceanLotus group believed to be out of Vietnam, and it's targeting Chinese and Vietnamese organizations.

"By studying the first generation of Mac OceanLotus samples through our framework, we found some similar behavioral signatures amongst the family. In March 2017, we found a second generation of Mac APT32 which [has a] zero-detection rate over more than 50 antivirus vendors ... hunting those behaviors on VirusTotal," he said. That new variant is more advanced, he said.

Phuc says the team also discovered hundreds of other Mac malware samples that with manual tools would be difficult to identify, and nearly half of all Mac malware collected in 2017 on VirusTotal were backdoor Trojans. The majority of malware samples were adware, mostly OSX/Pirrit and OSX/MacKeeper. "We observed a total of 86 different Mac malware families until 2017, and 49% of them belongs to backdoor/Trojan" categories, he said.

Mac-A-Mal basically works like this: it finds MacOS malware and places the samples in a sandbox where it performs static analysis on multiple samples at the same time. "The sandbox is armored with network sniffer, system calls and behavior logging, as well as anti-evasion from kernel-mode to send back a report to analysis machine," Phuc explained.

Kernel-level monitoring has its advantages, according to Phuc. Namely it's a more complete view from the lower level of the operating system, while at the same time keeping Mac-A-Mal under cover from anti-analysis detection. Next up for Mac-A-Mal is machine learning capabilities: "We would like to later apply more robust and advanced techniques for better features extraction from the analysis, and machine learning for a larger scale of Mac samples," Phuc said.

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MelBrandle
50%
50%
MelBrandle,
User Rank: Apprentice
7/29/2018 | 4:06:30 AM
Re: I.WANT.THIS.
Hackers are growing in numbers and they know exactly which platforms are vulnerable enough to become their next target to hit. As much as we would like to update our systems at work and at home, we can never keep up with technology especially amidst our busy schedules. This makes us easy targets for hackers as they usually aim for the older versions of operating systems to hack into. However, usualy for personal usage, it is not much of a concern. Large corporations with so much data to share are usually the main target.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
3/16/2018 | 12:47:27 PM
Re: I.WANT.THIS.
I know they are hoping to release it soon, but I'm not clear it will be next week. 
SchemaCzar
50%
50%
SchemaCzar,
User Rank: Strategist
3/15/2018 | 9:46:40 AM
I.WANT.THIS.
This sounds like a great tool and a great asset.  I hope it becomes publicly available soon!
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
'PowerSnitch' Hacks Androids via Power Banks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/8/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20161
PUBLISHED: 2018-12-15
A design flaw in the BlinkForHome (aka Blink For Home) Sync Module 2.10.4 and earlier allows attackers to disable cameras via Wi-Fi, because incident clips (triggered by the motion sensor) are not saved if the attacker's traffic (such as Dot11Deauth) successfully disconnects the Sync Module from the...
CVE-2018-20159
PUBLISHED: 2018-12-15
i-doit open 1.11.2 allows Remote Code Execution because ZIP archives are mishandled. It has an upload feature that allows an authenticated user with the administrator role to upload arbitrary files to the main website directory. Exploitation involves uploading a ".php" file within a "...
CVE-2018-20157
PUBLISHED: 2018-12-15
The data import functionality in OpenRefine through 3.1 allows an XML External Entity (XXE) attack through a crafted (zip) file, allowing attackers to read arbitrary files.
CVE-2018-20154
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated users to discover all subscriber e-mail addresses.
CVE-2018-20155
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated subscriber users to bypass intended access restrictions on changes to plugin settings.