Demystifying macOS: An investigation into the dynamics of macOS attacks

Akhil Reddy/FireEye

There`s a common myth that the macOS is completely secure. While various anti-malware features like the Gatekeeper and XProtect are equipped into the OS, we have observed scenarios where malware was delivered via 0-day exploits, circumventing all these protections and infecting the users. This proves that even macOS machines need to be monitored for identifying malicious activity.

Attackers leverage LaunchAgents and LaunchDaemons to establish persistence and attempt to disguise them to avoid suspicion. Some of these attacks weaponize built-in tools for data exfiltration. In this presentation, we dive into an investigative and behavior based approach to easily identify the anomalies in an infected mac and trace them back to the binary or to the application and its artifacts.

As part of the presentation, we`ll analyze some of the recent mac malware seen in the wild such as LAMEPYRE, NETWIRE and MOKES. NETWIRE and MOKES were delivered via a Firefox 0-day exploit which bypassed all defense mechanisms. The analysis includes how the malware was able to bypass Gatekeeper and XProtect. We`ll further discuss on how to use built-in tools for this analysis.

In conclusion, we`ll demonstrate how behavior based techniques can help detection engines to proactively identify unknown threats in mac threatscape.

November 7 at 16:10 - 16:40, Stage B

Akhil Reddy is a Research Scientist at FireEye`s Operations and Research Center for Endpoint, who specializes in developing behavior based detections. He is responsible for hunting and analysis of new threats, research on exploits and improving detection systems.