Malware authors often use code injection to hide activity and bypass security defenses. There are several ways to implement code injection techniques, which run malicious code through unsuspected or legitimate system processes. Malware writes part of the code in a remote process' memory, which executes malicious code not part of the process' original execution flow.
Code injection methods are a hot topic among security researchers; however, much of their work focuses on the Windows operating system given its ubiquity among consumer and business users. However, as macOS grows more common, Deep Instinct decided to pivot its code injection research toward Apple machines. In a new paper published today, security researcher Alon Weinberg digs into their discoveries.
"MacOS is becoming more popular, specifically in the United States," says Shimon Oren, head of threat research at Deep Instinct, in an exclusive interview with Dark Reading.
There is also an impression macOS is more secure than Windows or Android, he continues. While it's true that Apple's operating systems are less susceptible to malware using code injection, they are not immune to it. As Weinberg found, it's still possible for Mac devices to get infected by code execution techniques using remote process hooking. Further, when the malware hits, it's likely to go undetected: the techniques he analyzed bypass several popular security tools for macOS.
"Right now if an attacker wants to use these mechanisms, there is no solution in the marketplace that can protect against it," Oren says. Researchers tested code injection methods across a range of freeware and enterprise solutions for Mac; a handful of tactics evaded all of them.
As part of his research, Weinberg tested three remote code injection methods and a new custom-built reflective Mach-O loader. Unlike code injection or a hooking technique, this loader would let an attacker load Mach-O files from memory and not the disk, more effectively bypassing defenses.
Mach-O is the format used in macOS and iOS for executable files; it provides metadata to help the loader in loading an executable. When the loader loads a Mach-O file, it loads the architecture appropriate for the device's CPU, and only loads the relevant part of the Mach-O.
The core of Weinberg's report digs into three sparsely documented tactics to hook functions on a remote process, as well as the new custom loader designed by the Deep Instinct research team, to achieve code execution. The three tactics outlined in the paper exploit the Mach-O format to do this, says Oren. There is no vulnerability in Mach-O, he adds; these methods abuse the way it's built to work.
Weinberg uses "Hook-Inj" as a term to group these tactics, which are based on remote process hooking but were used to achieve code execution in remote processes. The first he describes was initially published in a Facebook project called fishhook, where it was only used for hooking functions in a local process. Researchers found a way to modify the method for code execution.
The second, specifically called "Dummy Hook," is a hooking technique used for Mach-O loaders, which only works if there is a function defined as a lazy function. The third, OCHook, is used to inject code into Objective-C, a C-based object-oriented language widely used in macOS and iOS.
Each of these methods has a different use case depending on the attacker's goals. "If he knows he wants to inject code into an Objective-C type of program, [he] should go for the OCHooking," says Weinberg. It's easier to implement, for starters, and has more capabilities involved.
The custom Mach-O loader is another means to evade detection without code injection or a hooking technique. An attacker could use this to execute Mach-O files from memory and load malicious features or functions not written on the disk. All they'd need is the loader – which Oren says can appear as a legitimate function on the computer – on the machine in order to deploy malicious activity.
"In a way, both the injection techniques and the loader in itself can be looked at as infrastructure to load almost whatever you want," he explains, adding that "with these kinds of tools you can achieve a lot." However, "you need to be very technical."
While the concept of code injection is similar on Windows and Mac machines, there are specific factors that are very relevant to macOS, and an attacker would have to be well-versed in those details to take advantage of these techniques. Fortunately, he adds, the techniques Weinberg explored are still new to the security community and the possibility they're used in the wild is low.
There isn't much Mac owners can do to defend against the methods Weinberg describes, as he notes in a blog post on his findings. Deep Instinct did not coordinate with Apple on disclosure of these tactics because, as Oren explains, there is no vulnerability to patch. Apple could provide more hardening, but even if it changed the legitimate process of the Mach-O loader,the techniques would be "just slightly different" but the idea would stay the same.
"In general, the whole code injection execution area is still somewhere that's more in the courts of security vendors than in the courts of the operating system vendors," Oren says. He advises vendors to familiarize with both known and relatively unknown code injection methods to protect devices.
Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.