Mac-A-Mal: An Automated Platform for Mac Malware Hunting

Presented at Black Hat Asia 2018, March 23, 2018, 3:30 p.m. (30 minutes).

As Mac systems grow in popularity, so does macOS malware - whilst macOS malware analysis is still lagging behind - particularly when we deal with malicious behaviors in the user space.

To amend this shortcoming, we have come up with macOS analyzer for malware – Mac-A-Mal: a system for behavioral monitoring of components at kernel level which allows analysts to automatically investigate malware on macOS, broadly extending what is available today with Cuckoo sandbox. By leveraging on kernel-level system calls hooking, the framework is able to detect and mitigate malware anti-analysis techniques. In particular, it combines static and dynamic analysis to extract useful information and suspicious behaviors from malware binaries, their monitored behaviors such as network traffic, malware evasion techniques, persistence methods, file operations etc., without being detected by common Mac malware evasion techniques.

We have used the framework to evaluate thousands macOS samples to estimate how widespread Mac malware variants and families are today (thanks to VirusTotal). Mac malware in 2017 demonstrates a drastic improvement by using evasion techniques. Overall, we used our systems to classify the dataset and found that 85% of collected samples are adware, 49% of classified variants belongs to backdoor/trojan.

By hunting Mac samples on VirusTotal, we found an undiscovered-so-far organized adware campaign which leverages several Apple legitimate developer certificates, few other undetected keyloggers, and trojan samples participating in APT32 OceanLotus targeting Chinese and Vietnamese organizations, as well as hundreds of malware samples which have otherwise low detection rates.


Presenters:

  • Fabio Massacci - Professor, University of Trento, Italy
    Fabio Massacci received a M.Eng. in 1993 and Ph.D. in Computer Science and Engineering at University of Rome "La Sapienza" in 1998. He spent a year in Cambridge working with L. Paulson and R. Needham on security protocols verification. He joined University of Siena as Assistant Professor in 1999, and was visiting researcher at IRIT Toulouse in 2000, and joined Trento in 2001 where is now full professor. His research interests are in security requirements engineering, formal methods and computer security. He has co-authored more than 100 papers on peer-reviewed journals and international conferences. His h-index is f(t,x) (where t is time and x depends on Scopus, Google-Scholar, the Firefox plug-ins etc.). Jointly with W. Joosen he co-founded ESSOS the Engineering Secure Systems and Software Symposium that aims at bringing together security and software engineering researchers and practitioners. ESSOS is held in-cooperation with ACM SIGSAC, ACM SIGSOFT, and IEEE TCSP. He has been administrative or scientific coordinator for integrated projects on security (S3MS, MASTER) and is coordinator of another integrated project on security engineering for evolvable systems (SecureChange). He participates also in ANIKETOS, EFFECTS+ and NESSOS projects. Till 2008 he was deputy rector for ICT procurements and services at Trento, a past-time with 70 members of staff and 5M Euro yearly budget. This gave him an incredible advantage for an ICT researcher: being also a customer of ICT solutions that never really works as advertised, and thus spurring him to new research ideas.
  • Pham Duy Phuc - Malware analyst, Sfylabs BV, the Netherlands
    Pham Duy Phuc is an Android malware analyst for Sfylabs company, the Netherlands. During his Master study in University of Trento - Italy, he proposed the thesis: "Automated macOS malware analysis" which discovered numerous undetected Mac malware. When he isn't glued to computer viruses, he spends time playing CTF with his team – BabyPhD - Vietnam, which he is the founder.

Links:

Similar Presentations: