Endpoint //

Privacy

3/14/2018
04:36 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

New 'Mac-A-Mal' Tool Automates Mac Malware Hunting & Analysis

Researchers at Black Hat Asia will demonstrate a new framework they created for catching and studying Apple MacOS malware.

Malware targeting Windows machines still dominates the threat landscape, but hackers gradually have been expanding their target range to increasingly popular Apple MacOS platforms. A team of researchers now has created an automated MacOS malware analyzer that streamlines and simplifies the process of detecting and studying the growing ecosystem of malicious code targeting Macs.

MacOS research tools typically have relied on manual analysis of malware, notes Pham Duy Phuc, a malware analyst with Netherlands-based Sfylabs BV. Phuc says he first began developing the so-called Mac-A-Mal tool while pursuing his Master's Degree at the University of Trento in Italy.  

"There are tools for malware reverse-engineering, debugging, and malware analysis on Mac," including commercial tools like Hopper and IDA, and open-source tools like Radare2, MachO View, lldb, Otool, and Dtrace, Phuc noted in an email interview. But these tools mostly require manual analysis, which means the researcher also must have some know-how in order to use them.

"Each tool only solves one piece of the puzzle and it depends on experience of the researcher. Using these tools manually takes too much time and effort, and will never combat malicious software," said Phuc. "For a demand of thousands [of] malware per day, an automated framework with combination of useful tools would make malware analyst daily job easier."

Phuc and Fabio Massacci, his former professor at the University of Trento, will demonstrate Mac-A-Mal at Black Hat Asia in Singapore next week. The two also plan to soon release the tool as open-source.

[See researchers demonstrate Mac-A-Mal live at Black Hat Asia in Singapore next week, March 22-23: conference and registration information.]

 Mac-A-Mal uses a combination of static- and dynamic code analysis to detect MacOS malware, as well as to cheat anti-analysis methods that some malware authors use to evade detection and investigation. It gathers malware binary behavior patterns, such as network traffic, evasion methods, and file operation. The tool uses kernel-level system calls, which allows it to operate undetected. "It takes actual behavioral data of malware samples, executions, inside a sandbox," he said.

Half of Mac Malware = Backdoors

The researchers used the tool to parse some 2,000 Mac samples on VirusTotal, which led to the discovery of a previously unknown adware campaign that uses legitimate Apple developer certificates, keyloggers, and Trojans. They believe the adware operation is the handiwork of the APT32 aka OceanLotus group believed to be out of Vietnam, and it's targeting Chinese and Vietnamese organizations.

"By studying the first generation of Mac OceanLotus samples through our framework, we found some similar behavioral signatures amongst the family. In March 2017, we found a second generation of Mac APT32 which [has a] zero-detection rate over more than 50 antivirus vendors ... hunting those behaviors on VirusTotal," he said. That new variant is more advanced, he said.

Phuc says the team also discovered hundreds of other Mac malware samples that with manual tools would be difficult to identify, and nearly half of all Mac malware collected in 2017 on VirusTotal were backdoor Trojans. The majority of malware samples were adware, mostly OSX/Pirrit and OSX/MacKeeper. "We observed a total of 86 different Mac malware families until 2017, and 49% of them belongs to backdoor/Trojan" categories, he said.

Mac-A-Mal basically works like this: it finds MacOS malware and places the samples in a sandbox where it performs static analysis on multiple samples at the same time. "The sandbox is armored with network sniffer, system calls and behavior logging, as well as anti-evasion from kernel-mode to send back a report to analysis machine," Phuc explained.

Kernel-level monitoring has its advantages, according to Phuc. Namely it's a more complete view from the lower level of the operating system, while at the same time keeping Mac-A-Mal under cover from anti-analysis detection. Next up for Mac-A-Mal is machine learning capabilities: "We would like to later apply more robust and advanced techniques for better features extraction from the analysis, and machine learning for a larger scale of Mac samples," Phuc said.

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MelBrandle
50%
50%
MelBrandle,
User Rank: Apprentice
7/29/2018 | 4:06:30 AM
Re: I.WANT.THIS.
Hackers are growing in numbers and they know exactly which platforms are vulnerable enough to become their next target to hit. As much as we would like to update our systems at work and at home, we can never keep up with technology especially amidst our busy schedules. This makes us easy targets for hackers as they usually aim for the older versions of operating systems to hack into. However, usualy for personal usage, it is not much of a concern. Large corporations with so much data to share are usually the main target.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
3/16/2018 | 12:47:27 PM
Re: I.WANT.THIS.
I know they are hoping to release it soon, but I'm not clear it will be next week. 
SchemaCzar
50%
50%
SchemaCzar,
User Rank: Strategist
3/15/2018 | 9:46:40 AM
I.WANT.THIS.
This sounds like a great tool and a great asset.  I hope it becomes publicly available soon!
Data Privacy Careers Are Helping to Close the IT Gender Gap
Dana Simberkoff, Chief Risk, Privacy, and Information Security Officer, AvePoint, Inc.,  8/20/2018
Ohio Man Sentenced To 15 Months For BEC Scam
Dark Reading Staff 8/20/2018
Intel Reveals New Spectre-Like Vulnerability
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10902
PUBLISHED: 2018-08-21
It was found that the raw midi kernel driver does not protect against concurrent access which leads to a double realloc (double free) in snd_rawmidi_input_params() and snd_rawmidi_output_status() which are part of snd_rawmidi_ioctl() handler in rawmidi.c file. A malicious local attacker could possib...
CVE-2018-10932
PUBLISHED: 2018-08-21
lldptool version 1.0.1 and older can print a raw, unsanitized attacker controlled buffer when mngAddr information is displayed. This may allow an attacker to inject shell control characters into the buffer and impact the behavior of the terminal.
CVE-2018-15660
PUBLISHED: 2018-08-21
** DISPUTED ** An issue was discovered in the Ola Money (aka com.olacabs.olamoney) application 1.9.0 for Android. If an attacker controls an application with accessibility permissions, then the attacker can read certain Ola Money data such as a credit card number, expiration date, bank account numbe...
CVE-2018-15661
PUBLISHED: 2018-08-21
** DISPUTED ** An issue was discovered in the Ola Money (aka com.olacabs.olamoney) application 1.9.0 for Android. If an attacker controls an application with accessibility permissions and the ability to read SMS messages, then the Forgot Password screen can be used to bypass authentication. NOTE: th...
CVE-2018-15481
PUBLISHED: 2018-08-21
Improper input sanitization within the restricted administration shell on UCOPIA Wireless Appliance devices using firmware version 5.1.x before 5.1.13 allows authenticated remote attackers to escape the shell and escalate their privileges by adding a LocalCommand to the SSH configuration file in the...