Peeling back the 'Shlayers' of macOS Malware

Presented at Objective by the Sea version 2.0 (2019), June 1, 2019, 5 p.m. (50 minutes).

In February of 2019, researchers at Intego reported on a family of macOS malware they had newly discovered in the wild, which they named Shlayer. In November 2018, Carbon Black researchers saw an increase in infections from malware later identified to be Shlayer and began deeper investigation. The sites serving out this malware - mostly as fake Adobe Flash updates or malicious browser extensions - employed increasing levels of anti-analysis based on system and location fingerprinting to hinder harvesting of samples. Digging deeper into analysis, we found that these samples were signed with legitimate Apple developer IDs and used legitimate system applications via bash to conduct all installation activity, complicating detection. Furthermore, these samples were observed to achieve privilege escalation by use of the deprecated AuthorizationExecuteWithPrivileges API. In this talk we will provide a technical overview of exemplary samples of Shlayer, including site discovery, distribution techniques, obfuscation, privilege escalation, and behavior. We will also discuss the difficulties of analyzing macOS malware, as traditional disassemblers aren't enlightened to the inner workings of Objective-C. To address this gap in malware analysis tooling, we will present newly developed plugins for Binary Ninja that improve Objective-C analysis, including structure recovery and rendering objc_msgSend calls in a more readable format. Finally, we will demonstrate how our toolset aided in analysis of the Shlayer malware family. These tools will be released to the public after the talk.


Presenters:

  • Erika Noerenberg - Senior Threat Researcher at Carbon Black
    Erika Noerenberg is a Senior Threat Researcher with Carbon Black’s Threat Analysis Unit, with over 15 years of experience in the security industry specializing in digital forensics, malware analysis, and software development. Previously, she worked as a forensic analyst and reverse engineer for the Defense Cyber Crime Center (DC3), performing system and malware examinations in support of intrusions investigations for the Department of Defense and FBI.
  • Josh Watson - Senior Security Engineer at Trail of Bits
    Josh Watson is a Senior Security Engineer with Trail of Bits. An acknowledged Binary Ninja expert, he has both presented talks and taught training courses at conferences on automating analysis with Binary Ninja. In his spare time, he hosts a Twitch stream in which he writes tools and reverse engineers binaries with Binary Ninja for a live audience.

Links:

Similar Presentations: