Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

4/30/2019
09:00 AM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Researchers Explore Remote Code Injection in macOS

Deep Instinct analysts test three code injection methods and a custom-built Mach-O loader to load malicious files from memory.

Malware authors often use code injection to hide activity and bypass security defenses. There are several ways to implement code injection techniques, which run malicious code through unsuspected or legitimate system processes. Malware writes part of the code in a remote process' memory, which executes malicious code not part of the process' original execution flow.

Code injection methods are a hot topic among security researchers; however, much of their work focuses on the Windows operating system given its ubiquity among consumer and business users. However, as macOS grows more common, Deep Instinct decided to pivot its code injection research toward Apple machines. In a new paper published today, security researcher Alon Weinberg digs into their discoveries.

"MacOS is becoming more popular, specifically in the United States," says Shimon Oren, head of threat research at Deep Instinct, in an exclusive interview with Dark Reading.

There is also an impression macOS is more secure than Windows or Android, he continues. While it's true that Apple's operating systems are less susceptible to malware using code injection, they are not immune to it. As Weinberg found, it's still possible for Mac devices to get infected by code execution techniques using remote process hooking. Further, when the malware hits, it's likely to go undetected: the techniques he analyzed bypass several popular security tools for macOS.

"Right now if an attacker wants to use these mechanisms, there is no solution in the marketplace that can protect against it," Oren says. Researchers tested code injection methods across a range of freeware and enterprise solutions for Mac; a handful of tactics evaded all of them.

As part of his research, Weinberg tested three remote code injection methods and a new custom-built reflective Mach-O loader. Unlike code injection or a hooking technique, this loader would let an attacker load Mach-O files from memory and not the disk, more effectively bypassing defenses.

Mach-O is the format used in macOS and iOS for executable files; it provides metadata to help the loader in loading an executable. When the loader loads a Mach-O file, it loads the architecture appropriate for the device's CPU, and only loads the relevant part of the Mach-O.

Mac Attacks

The core of Weinberg's report digs into three sparsely documented tactics to hook functions on a remote process, as well as the new custom loader designed by the Deep Instinct research team, to achieve code execution. The three tactics outlined in the paper exploit the Mach-O format to do this, says Oren. There is no vulnerability in Mach-O, he adds; these methods abuse the way it's built to work.

Weinberg uses "Hook-Inj" as a term to group these tactics, which are based on remote process hooking but were used to achieve code execution in remote processes. The first he describes was initially published in a Facebook project called fishhook, where it was only used for hooking functions in a local process. Researchers found a way to modify the method for code execution.

The second, specifically called "Dummy Hook," is a hooking technique used for Mach-O loaders, which only works if there is a function defined as a lazy function. The third, OCHook, is used to inject code into Objective-C, a C-based object-oriented language widely used in macOS and iOS.

Each of these methods has a different use case depending on the attacker's goals. "If he knows he wants to inject code into an Objective-C type of program, [he] should go for the OCHooking," says Weinberg. It's easier to implement, for starters, and has more capabilities involved.

The custom Mach-O loader is another means to evade detection without code injection or a hooking technique. An attacker could use this to execute Mach-O files from memory and load malicious features or functions not written on the disk. All they'd need is the loader – which Oren says can appear as a legitimate function on the computer – on the machine in order to deploy malicious activity.

"In a way, both the injection techniques and the loader in itself can be looked at as infrastructure to load almost whatever you want," he explains, adding that "with these kinds of tools you can achieve a lot." However, "you need to be very technical."

While the concept of code injection is similar on Windows and Mac machines, there are specific factors that are very relevant to macOS, and an attacker would have to be well-versed in those details to take advantage of these techniques. Fortunately, he adds, the techniques Weinberg explored are still new to the security community and the possibility they're used in the wild is low.

There isn't much Mac owners can do to defend against the methods Weinberg describes, as he notes in a blog post on his findings. Deep Instinct did not coordinate with Apple on disclosure of these tactics because, as Oren explains, there is no vulnerability to patch. Apple could provide more hardening, but even if it changed the legitimate process of the Mach-O loader,the techniques would be "just slightly different" but the idea would stay the same.

"In general, the whole code injection execution area is still somewhere that's more in the courts of security vendors than in the courts of the operating system vendors," Oren says. He advises vendors to familiarize with both known and relatively unknown code injection methods to protect devices.

Related Content:

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
The Cold Truth about Cyber Insurance
Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
The State of Email Security and Protection
Mike Flouton, Vice President of Email Security at Barracuda Networks,  11/5/2019
6 Small-Business Password Managers
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/8/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Dueling Free Throws A riff on the song Dueling Banjos
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprise
Assessing Cybersecurity Risk in Today's Enterprise
Security leaders are struggling to understand their organizations risk exposure. While many are confident in their security strategies and processes, theyre also more concerned than ever about getting breached. Download this report today and get insights on how today's enterprises assess and perceive the risks they face in 2019!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18862
PUBLISHED: 2019-11-11
maidag in GNU Mailutils before 3.8 is installed setuid and allows local privilege escalation in the url mode.
CVE-2019-18853
PUBLISHED: 2019-11-11
ImageMagick before 7.0.9-0 allows remote attackers to cause a denial of service because XML_PARSE_HUGE is not properly restricted in coders/svg.c, related to SVG and libxml2.
CVE-2019-18854
PUBLISHED: 2019-11-11
A Denial Of Service vulnerability exists in the safe-svg (aka Safe SVG) plugin through 1.9.4 for WordPress, related to unlimited recursion for a '<use ... xlink:href="#identifier">' substring.
CVE-2019-18855
PUBLISHED: 2019-11-11
A Denial Of Service vulnerability exists in the safe-svg (aka Safe SVG) plugin through 1.9.4 for WordPress, related to potentially unwanted elements or attributes.
CVE-2019-18856
PUBLISHED: 2019-11-11
A Denial Of Service vulnerability exists in the SVG Sanitizer module through 8.x-1.0-alpha1 for Drupal because access to external resources with an SVG use element is mishandled.