![]() Analyzing and understanding persistence tactics enables researchers to build behavior-based detections and train automated machine learning (ML) detections. Most threats, including macOS malware, attempt to ensure persistence to survive system reboots. For example, older OSX.FlashBack backdoor variants were known to use Java exploits to compromise targets.īy understanding delivery and infection vectors, researchers can take a layered approach to security, building protection capabilities to stop breaches. More complex attacks use exploits in different applications or in compromised OS kernels or accounts. Other malware variants, such as OSX.XCSSET, are distributed via either malicious documents or supply chain attacks targeting legitimate software development tools such as Xcode, Apple’s IDE. OSX.EvilQuest ransomware installing as fake Mixed In Key DJ application Fake updates, fake applications, trojanized applications and tainted versions of legitimate applications are the most common methods used to trick users into installing malicious software.įor example, OSX.EvilQuest ransomware has been known to impersonate popular sound mixing applications (as seen in Figure 3), while trojans like OSX.Lador are distributed via spam emails that contain malicious add-ons, cracked applications, free programs and fake updates.įigure 3. One of the most common methods of spreading malware involves using social engineering tactics in an attempt to trick the user into manually infecting their macOS. AppleScripts or AppleScript variants like Run-only that are used for automating repetitive tasks are often abused by macOS threats such as OSX.OSAMiner, a popular cryptocurrency miner.dmg file - that has a postinstall script that copies the malicious OSX.EvilQuest binary to /Library/mixednkey/ under the name toolroomd. For example, OSX.EvilQuest uses a malicious package - after mounting the. mpkg) are another common file type abused by malware as they allow malware developers to define preinstall and postinstall scripts that automatically run through the installation process. Apple Disk Images (.dmg) are favored because they’re automatically mounted on execution both OSX.EvilQuest (Figure 3) and OSX.Shlayer malware typically use this file type.Figure 2 offers an overview of macOS malware file types.Įven though most malware are compiled binaries, many non-binary file types are commonly encountered while analyzing macOS malware each has its own advantages and disadvantages for the adversaries that use them. File-type identification also helps in establishing the tools required in the analysis. Malware developers often try to hide or mask file types in an attempt to trick users into executing them. File Type Classification for macOS Threats ![]() ![]() Threats that target macOS systems have the same goals as those targeting any other operating systems they range from spying and reconnaissance to cryptocurrency mining, file encryption, remote access, and adware-related hijack and injection. MacOS malware research starts with the fundamentals, such as classifying macOS malware by file type continues with the capabilities, intended targets and general behavior of malware and ends with obstacles researchers encounter when analyzing macOS malware. The deep understanding and knowledge they gain is used both to create new features for structural parsing that augments our machine learning detection capabilities and to improve the proficiency of our behavior-based protection. ![]() This blog addresses some of the challenges and requirements our researchers must meet when analyzing macOS threats. The fallacies that macOS cannot be harmed by threats or is targeted by less-sophisticated malware still linger. CrowdStrike researchers constantly hunt, analyze and gain understanding of any macOS artifact that looks even remotely suspicious to improve CrowdStrike’s automated machine learning and behavior-based protection capabilities. Improving the CrowdStrike Falcon® platform’s ability to detect macOS threats is a continuous process. OSX.EvilQuest was the most prevalent macOS ransomware family in 2021, accounting for 98% of ransomware in the researchers’ analysis, while OSX.Flashback accounted for 31% of macOS backdoor threats and OSX.Lador accounted for 47% of macOS trojans. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |