Binary Emulation Environment for Mach-O Malware

Presented at Objective by the Sea version 3.0 (2020), March 13, 2020, 4:35 p.m. (25 minutes)

As threats on the Mac platform have increased in prevalence and sophistication, analysts require more time and resources to manually analyze available samples. As a result, the need to automate malware analysis has become of paramount importance. Although many static analysis tools exist for Mach-O binaries, the amount of actionable information able to be extracted from malicious samples is increasingly limited as adversaries employ additional methods of obfuscation. While more information can be obtained from traditional dynamic analysis, this method is costly in time and resources and is still vulnerable to anti-analysis techniques such as virtual machine detection. For this reason, methods for extracting data from binaries at scale typically rely on static analysis. Binee (Binary Emulation Environment) is an open source binary emulation environment developed by Carbon Black researchers Kyle Gwinnup and John Holowczak and introduced in August of 2019 at DEF CON 27. Through emulation of execution, Binee provides a method for capturing runtime information typically obtained from dynamic analysis, but at the cost and scale at which static analysis can run. Furthermore, Binee can run in the cloud at scale on any platform and output structured data for post processing. This can facilitate the automation of malware analysis, data extraction, and hunting across large datasets. Although previously only released for the emulation of Windows binaries, we have extended Binee functionality to support emulation of 64-bit Mach-O binaries. This talk will briefly introduce the "how" and "why" of Binee for Mach-O binaries, but will mostly focus on its application for the malware analyst and threat hunter using real-world samples to demonstrate the power of static process emulation.


  • Erika Noerenberg - Forensicator and malware RE, VMware Carbon Black TAU
    Erika Noerenberg is a Senior Threat Researcher with VMware Carbon Black’s Threat Analysis Unit, with over 15 years of experience in the security industry specializing in digital forensics, malware analysis, and software development. Previously, she worked as a malware analyst at LogRhythm Labs and as a forensic analyst and reverse engineer for the Defense Cyber Crime Center (DC3), performing system and malware examinations in support of intrusions investigations for the Department of Defense and FBI.


Similar Presentations: