Presented at
DEF CON 33 (2025),
Aug. 9, 2025, 10 a.m.
(20 minutes).
When confronted with malicious macOS binaries, analysts typically reach for a disassembler and immerse themselves in the complexities of low-level assembly. But what if this tedious process could be skipped entirely?
While many malware samples are distributed as native macOS binaries (easily run with a simple double-click), they frequently encapsulate scripts hidden within executable wrappers. Leveraging frameworks such as PyInstaller, Appify, Tauri, and Platypus, malware authors embed their scripts with binaries, complicating traditional analysis. Although these frameworks share the goal of producing natively executable binaries, each employs a distinct method to embed scripts, thus necessitating tailored extraction tools and approaches.
Using real-world macOS malware (such as Shlayer, CreativeUpdate, GravityRAT, and many others), we'll first demonstrate how to identify these faux binaries and then how to efficiently extract or reconstruct their embedded scripts, bypassing the disassembler entirely!
References:
- P.Wardle: The Art of Mac Malware (Vol I: Analysis)
- "Reverse Engineering a Native Desktop Application (Tauri App)" [link](https://infosecwriteups.com/reverse-engineering-a-native-desktop-application-tauri-app-5a2d92772da5)
- "From The DPRK With Love:analyzing a recent north korean macOS backdoor" [link](https://objective-see.org/blog/blog_0x6E.html)
Presenters:
-
Patrick Wardle
Patrick Wardle is the founder of the Objective-See Foundation, the CEO/Cofounder of DoubleYou, and the author of "The Art of Mac Malware" book series. Having worked at NASA and the NSA, as well as presenting at countless security conferences, he is intimately familiar with aliens, spies, and talking nerdy. Passionate about macOS security, Patrick spends his days discovering Apple 0days, studying macOS malware, and releasing free open-source security tools to protect Mac users.
Similar Presentations: