Office Drama on macOS

Presented at Black Hat USA 2020 Virtual, Aug. 5, 2020, 2:30 p.m. (40 minutes)

<span>In the world of Windows, macro-based Office attacks are well understood (and frankly are rather old news). However on macOS though such attacks are growing in popularity and are quite en vogue, they have received far less attention from the research and security community.<br></span><div><br></div><div>In this talk, we will begin by analyzing recent macro-laden documents targeting Apple's desktop OS, highlighting the macOS-specific exploit code and payloads. Though sophisticated APT groups are behind several of these attacks, these malicious documents and their payloads remain severely constrained by recent application and OS-level security mechanisms.<br></div><div><br></div><div>However, things could be far worse! Here, we'll detail the creation of a powerful exploit chain that began with CVE-2019-1457, leveraged a new sandbox escape and ended with a full bypass of Apple's stringent notarization requirements. Triggered by simply opening a malicious (macro-laced) Office document, no alerts, prompts, nor other user interactions were required in order to persistently infect even a fully-patched macOS Catalina system!<br></div><div><br></div><div>To conclude, we'll explore Apple's new Endpoint Security Framework illustrating how it can be<span>leveraged</span> to thwart each stage of our exploit chain, as well as generically detect advanced "document-delivered" payloads and even persistent nation-state malware!</div>

Presenters:

  • Patrick Wardle - Principal Security Researcher, Jamf
    Patrick Wardle is a Principle Security Research and Founder of Objective-See. Having worked at NASA and the NSA, as well as presented at countless security conferences, he is intimately familiar with aliens, spies, and talking nerdy. Patrick is passionate about all things related to macOS security and thus spends his days finding Apple 0-days, analyzing macOS malware, and writing free open-source security tools to protect Mac users.

Links:

Similar Presentations: