Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:00 AM
Connect Directly

Researchers Explore Remote Code Injection in macOS

Deep Instinct analysts test three code injection methods and a custom-built Mach-O loader to load malicious files from memory.

Malware authors often use code injection to hide activity and bypass security defenses. There are several ways to implement code injection techniques, which run malicious code through unsuspected or legitimate system processes. Malware writes part of the code in a remote process' memory, which executes malicious code not part of the process' original execution flow.

Code injection methods are a hot topic among security researchers; however, much of their work focuses on the Windows operating system given its ubiquity among consumer and business users. However, as macOS grows more common, Deep Instinct decided to pivot its code injection research toward Apple machines. In a new paper published today, security researcher Alon Weinberg digs into their discoveries.

"MacOS is becoming more popular, specifically in the United States," says Shimon Oren, head of threat research at Deep Instinct, in an exclusive interview with Dark Reading.

There is also an impression macOS is more secure than Windows or Android, he continues. While it's true that Apple's operating systems are less susceptible to malware using code injection, they are not immune to it. As Weinberg found, it's still possible for Mac devices to get infected by code execution techniques using remote process hooking. Further, when the malware hits, it's likely to go undetected: the techniques he analyzed bypass several popular security tools for macOS.

"Right now if an attacker wants to use these mechanisms, there is no solution in the marketplace that can protect against it," Oren says. Researchers tested code injection methods across a range of freeware and enterprise solutions for Mac; a handful of tactics evaded all of them.

As part of his research, Weinberg tested three remote code injection methods and a new custom-built reflective Mach-O loader. Unlike code injection or a hooking technique, this loader would let an attacker load Mach-O files from memory and not the disk, more effectively bypassing defenses.

Mach-O is the format used in macOS and iOS for executable files; it provides metadata to help the loader in loading an executable. When the loader loads a Mach-O file, it loads the architecture appropriate for the device's CPU, and only loads the relevant part of the Mach-O.

Mac Attacks

The core of Weinberg's report digs into three sparsely documented tactics to hook functions on a remote process, as well as the new custom loader designed by the Deep Instinct research team, to achieve code execution. The three tactics outlined in the paper exploit the Mach-O format to do this, says Oren. There is no vulnerability in Mach-O, he adds; these methods abuse the way it's built to work.

Weinberg uses "Hook-Inj" as a term to group these tactics, which are based on remote process hooking but were used to achieve code execution in remote processes. The first he describes was initially published in a Facebook project called fishhook, where it was only used for hooking functions in a local process. Researchers found a way to modify the method for code execution.

The second, specifically called "Dummy Hook," is a hooking technique used for Mach-O loaders, which only works if there is a function defined as a lazy function. The third, OCHook, is used to inject code into Objective-C, a C-based object-oriented language widely used in macOS and iOS.

Each of these methods has a different use case depending on the attacker's goals. "If he knows he wants to inject code into an Objective-C type of program, [he] should go for the OCHooking," says Weinberg. It's easier to implement, for starters, and has more capabilities involved.

The custom Mach-O loader is another means to evade detection without code injection or a hooking technique. An attacker could use this to execute Mach-O files from memory and load malicious features or functions not written on the disk. All they'd need is the loader – which Oren says can appear as a legitimate function on the computer – on the machine in order to deploy malicious activity.

"In a way, both the injection techniques and the loader in itself can be looked at as infrastructure to load almost whatever you want," he explains, adding that "with these kinds of tools you can achieve a lot." However, "you need to be very technical."

While the concept of code injection is similar on Windows and Mac machines, there are specific factors that are very relevant to macOS, and an attacker would have to be well-versed in those details to take advantage of these techniques. Fortunately, he adds, the techniques Weinberg explored are still new to the security community and the possibility they're used in the wild is low.

There isn't much Mac owners can do to defend against the methods Weinberg describes, as he notes in a blog post on his findings. Deep Instinct did not coordinate with Apple on disclosure of these tactics because, as Oren explains, there is no vulnerability to patch. Apple could provide more hardening, but even if it changed the legitimate process of the Mach-O loader,the techniques would be "just slightly different" but the idea would stay the same.

"In general, the whole code injection execution area is still somewhere that's more in the courts of security vendors than in the courts of the operating system vendors," Oren says. He advises vendors to familiarize with both known and relatively unknown code injection methods to protect devices.

Related Content:




Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated blind OS Command Injection.
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a NULL Pointer Dereference that leads to a DoS in discoveryd
PUBLISHED: 2021-01-22
M&M Software fdtCONTAINER Component in versions below 3.5.20304.x and between 3.6 and 3.6.20304.x is vulnerable to deserialization of untrusted data in its project storage.
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a Cross-Site Request Forgery (CSRF) in the web interface.