While malicious email attachments are the initial access mechanism of choice for other platforms, many macOS threats abuse software installers to subvert Apple's security controls and gain access. In some cases, adversaries even eschew including binary content in installation packages and just use the built-in installer structures to retrieve arbitrary content!
In this talk, I'll discuss installation methods that multiple threats have used, from suspected APTs to adware and proof-of-concept code. I'll cover package (PKG) installers with pre- and postinstall scripts, application bundles distributed in DMG files, and third-party library installation using tools such as Python's PIP utility. In addition to real-world examples documented in the wild, I'll also show the malware execution using data from endpoint detection and response (EDR) technology to provide ideas for effective analytics.