Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:00 AM
Connect Directly

Researchers Explore Remote Code Injection in macOS

Deep Instinct analysts test three code injection methods and a custom-built Mach-O loader to load malicious files from memory.

Malware authors often use code injection to hide activity and bypass security defenses. There are several ways to implement code injection techniques, which run malicious code through unsuspected or legitimate system processes. Malware writes part of the code in a remote process' memory, which executes malicious code not part of the process' original execution flow.

Code injection methods are a hot topic among security researchers; however, much of their work focuses on the Windows operating system given its ubiquity among consumer and business users. However, as macOS grows more common, Deep Instinct decided to pivot its code injection research toward Apple machines. In a new paper published today, security researcher Alon Weinberg digs into their discoveries.

"MacOS is becoming more popular, specifically in the United States," says Shimon Oren, head of threat research at Deep Instinct, in an exclusive interview with Dark Reading.

There is also an impression macOS is more secure than Windows or Android, he continues. While it's true that Apple's operating systems are less susceptible to malware using code injection, they are not immune to it. As Weinberg found, it's still possible for Mac devices to get infected by code execution techniques using remote process hooking. Further, when the malware hits, it's likely to go undetected: the techniques he analyzed bypass several popular security tools for macOS.

"Right now if an attacker wants to use these mechanisms, there is no solution in the marketplace that can protect against it," Oren says. Researchers tested code injection methods across a range of freeware and enterprise solutions for Mac; a handful of tactics evaded all of them.

As part of his research, Weinberg tested three remote code injection methods and a new custom-built reflective Mach-O loader. Unlike code injection or a hooking technique, this loader would let an attacker load Mach-O files from memory and not the disk, more effectively bypassing defenses.

Mach-O is the format used in macOS and iOS for executable files; it provides metadata to help the loader in loading an executable. When the loader loads a Mach-O file, it loads the architecture appropriate for the device's CPU, and only loads the relevant part of the Mach-O.

Mac Attacks

The core of Weinberg's report digs into three sparsely documented tactics to hook functions on a remote process, as well as the new custom loader designed by the Deep Instinct research team, to achieve code execution. The three tactics outlined in the paper exploit the Mach-O format to do this, says Oren. There is no vulnerability in Mach-O, he adds; these methods abuse the way it's built to work.

Weinberg uses "Hook-Inj" as a term to group these tactics, which are based on remote process hooking but were used to achieve code execution in remote processes. The first he describes was initially published in a Facebook project called fishhook, where it was only used for hooking functions in a local process. Researchers found a way to modify the method for code execution.

The second, specifically called "Dummy Hook," is a hooking technique used for Mach-O loaders, which only works if there is a function defined as a lazy function. The third, OCHook, is used to inject code into Objective-C, a C-based object-oriented language widely used in macOS and iOS.

Each of these methods has a different use case depending on the attacker's goals. "If he knows he wants to inject code into an Objective-C type of program, [he] should go for the OCHooking," says Weinberg. It's easier to implement, for starters, and has more capabilities involved.

The custom Mach-O loader is another means to evade detection without code injection or a hooking technique. An attacker could use this to execute Mach-O files from memory and load malicious features or functions not written on the disk. All they'd need is the loader – which Oren says can appear as a legitimate function on the computer – on the machine in order to deploy malicious activity.

"In a way, both the injection techniques and the loader in itself can be looked at as infrastructure to load almost whatever you want," he explains, adding that "with these kinds of tools you can achieve a lot." However, "you need to be very technical."

While the concept of code injection is similar on Windows and Mac machines, there are specific factors that are very relevant to macOS, and an attacker would have to be well-versed in those details to take advantage of these techniques. Fortunately, he adds, the techniques Weinberg explored are still new to the security community and the possibility they're used in the wild is low.

There isn't much Mac owners can do to defend against the methods Weinberg describes, as he notes in a blog post on his findings. Deep Instinct did not coordinate with Apple on disclosure of these tactics because, as Oren explains, there is no vulnerability to patch. Apple could provide more hardening, but even if it changed the legitimate process of the Mach-O loader,the techniques would be "just slightly different" but the idea would stay the same.

"In general, the whole code injection execution area is still somewhere that's more in the courts of security vendors than in the courts of the operating system vendors," Oren says. He advises vendors to familiarize with both known and relatively unknown code injection methods to protect devices.

Related Content:




Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Malicious USB Drive Hides Behind Gift Card Lure
Dark Reading Staff 3/27/2020
How Attackers Could Use Azure Apps to Sneak into Microsoft 365
Kelly Sheridan, Staff Editor, Dark Reading,  3/24/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-03-30
When MELSOFT transmission port (UDP/IP) of Mitsubishi Electric MELSEC iQ-R series (all versions), MELSEC iQ-F series (all versions), MELSEC Q series (all versions), MELSEC L series (all versions), and MELSEC F series (all versions) receives massive amount of data via unspecified vectors, resource co...
PUBLISHED: 2020-03-30
Toyota 2017 Model Year DCU (Display Control Unit) allows an unauthenticated attacker within Bluetooth range to cause a denial of service attack and/or execute an arbitrary command. The affected DCUs are installed in Lexus (LC, LS, NX, RC, RC F), TOYOTA CAMRY, and TOYOTA SIENNA manufactured in the re...
PUBLISHED: 2020-03-27
Local Privilege Escalation can occur in PHOENIX CONTACT PORTICO SERVER through 3.0.7 when installed to run as a service.
PUBLISHED: 2020-03-27
Insecure, default path permissions in PHOENIX CONTACT PC WORX SRT through 1.14 allow for local privilege escalation.
PUBLISHED: 2020-03-27
An exploitable denial of service vulnerability exists in the GstRTSPAuth functionality of GStreamer/gst-rtsp-server 1.14.5. A specially crafted RTSP setup request can cause a null pointer deference resulting in denial-of-service. An attacker can send a malicious packet to trigger this vulnerability.