Herding cattle in the desert: How malware actors have adjusted to new security enhancements in Mojave

Presented at Objective by the Sea version 2.0 (2019), June 1, 2019, 1:15 p.m. (50 minutes)

Malware on the Mac has always been like a unicorn - a creature from folk tales. But in recent years what was thought of as a unicorn, turned out to be a shadow of a horse with a wooden peg on his head: a story being told to give users a (false) sense of security. Mac malware is on the rise, at an alarming rate. Estimations indicate that over 12% of Macs showed malicious activity in the past year. Most common types are adware, monetizing malware and scareware such as fake cleaners. In contrast, each new version of macOS introduce improved security mechanisms, supposedly setting a higher bar for successful infection. Mechanisms such as Quarantine, SIP and GateKeeper verify software integrity, and make changes to user and OS settings more difficult, TCC (Transparency, Consent, and Control) requires stricter user consent during app installation, while XProtect and MRT finish off with rules to detect malicious files. Still, Mac Malware is on the rise, with 12M infected machine identified in 2018 alone, while the YoY growth of infection has been over 100% since 2016. A clear signal that bad guys adapt fast. In this talk, we'll deep dive into recent security changes in MacOS Mojave & Safari and examine how these updates impacted actors of highly distributed malware in terms of number of infections, and more importantly - monetization. We'll take a look at malware actors currently infecting machines in the wild (Bundlore and Genio to name a few) - and investigate how their tactics evolved after the update: From vectors of infection that bypass Gatekeeper, getting around the new TCC dialogs, hijacking search in a SIP protected Safari, to persistency and reinfection mechanisms that ultimately turn these ‘annoying PUPs' into a fully fledged backdoored botnet.

Presenters:

• Omer Zohar - VP Research and Labs, Airo Security
  A security researcher for over a decade, Omer has been conducting multidisciplinary research on malware behavior and how to detect them. Omer is currently Heading the research team at Airo Security and manages the Lab Operations, dedicated to hunting Mac Malware and Protecting Mac Consumers. Previously, as Head of Research for TopSpin Security, where he investigated malware C&C infrastructure and protocols to create a behavior based detection engine that correlates over a time series network and reputation data along with a deception overlay. He authored 'Deceive and Succeed: Using Deception for Post-Breach Detection' (Defcon 2016) where he investigated how malicious actors interact with various deception mechanisms to measure their effectiveness.

Links:

• https://objectivebythesea.org/v2/talks.html#zohar
• https://objectivebythesea.org/v2/talks/OBTS_v2_Zohar.pdf

Similar Presentations:

• Black Hat USA 2021 / 20+ Ways to Bypass Your macOS Privacy Mechanisms
• Black Hat Asia 2018 / Mac-A-Mal: An Automated Platform for Mac Malware Hunting
• ekoparty 14 (2018) / To Execute or Not to Execute. How to Build a Malware Execution Lab