The Wild World of macOS Installers

Presented at Objective by the Sea version 4.0 (2021), Oct. 1, 2021, 11:05 a.m. (50 minutes).

While malicious email attachments are the initial access mechanism of choice for other platforms, many macOS threats abuse software installers to subvert Apple's security controls and gain access. In some cases, adversaries even eschew including binary content in installation packages and just use the built-in installer structures to retrieve arbitrary content!

In this talk, I'll discuss installation methods that multiple threats have used, from suspected APTs to adware and proof-of-concept code. I'll cover package (PKG) installers with pre- and postinstall scripts, application bundles distributed in DMG files, and third-party library installation using tools such as Python's PIP utility. In addition to real-world examples documented in the wild, I'll also show the malware execution using data from endpoint detection and response (EDR) technology to provide ideas for effective analytics.


Presenters:

  • Tony Lambert - Intelligence Analyst Red Canary
    Tony is a professional geek who loves to jump into all things related to detection and digital forensics. After working in enterprise IT administration and detection engineering for several years, he now applies his DFIR skills to research malware, detect malicious activity, and recommend pathways for remediation. Tony is a natural teacher and regularly shares his findings and expertise through blogs, research reports, and presentations at conferences and events.

Links:

Similar Presentations: