DEF CON 2019: MacOS Gets a Malware Beatdown in Attack Demo

Patrick Wardle proves that signature-based anti-malware protection on Macs is woefully inadequate when fending off modern attacks.

LAS VEGAS – On Friday, Mac security researcher Patrick Wardle showed how an attacker can repurpose someone else’s Mac malware, create false attribution flags and sidestep Mac anti-malware defenses with ease. The attack scenarios were his own and meant to serve as cautionary examples and reasons why Mac security professionals need to stay on their toes.

The heart of Wardle’s thesis surfaced at the end of his talk here at DEF CON when he highlighted several Mac signature-based malware defenses woefully inadequate when it came to fending off the attacks he created. Far more effective at detecting and warding off threats is a behavioral and heuristics approach to identifying Mac threats, said Wardle, security researcher with Jamf.

The session here proved the point. Wardle laid out a soup-to-nuts attack strategy that likely could be in use by adversaries today. He began his proof-of-concept attack by demonstrating how to repurpose known malware samples and customize them for use in fresh attacks.
Wardle explained that the repurposing, or in some cases reverse engineering, of malware samples served multiple goals. For starters, it was simply easier to repurpose battle-tested malware rather than build it from scratch. Second, by using another crook’s malware code it would muddy an attacker’s true identity. A post-attack analysis might wrongfully attribute the malware to a hacking group commonly associated with creating the malware and not the real attacker.

Such was the case with Olympic Destroyer malware used in the 2018 Pyeongchang Olympics attacks where there were deliberate attempts by adversaries to plant a false flags when it comes to attribution.

In his talk, Wardle showed attendees both how easy and challenging it is to repurpose and in some cases reverse engineer malware samples. In a demo, he repurposed the Windtail backdoor malware along with KeyRanger ransomware, the CreativeUpdate cryptominer and the implant malware FruitFly.

Additional demos illustrated how an attacker might rejigger malware and link it to their own command-and-control server. In one example, he showed how a malware sample with an embedded and encrypted address pointing to the original author’s command-and-control servers can be commandeered.

“Not to worry, what we can do is we can coerce the malware to always load a dynamic library. And then, once our library is running in the process address space of the malware, we can modify the malware at runtime to intercept the decrypted addresses of the command-and-control server before the malware uses them to connect out,” he said.

Now attackers, with customized malware, are ready for the next phase of infecting targeted Mac computers, but only after evading Mac anti-malware mitigations.

In this part of Wardle’s cautionary session, he offered Apple’s frontline anti-malware defenses and brought them to their knees. He singled out Apple’s XProtect (File Quarantine), the macOS certificate-checking tool, the native Malware Removal Tool (MRT) and also several third-party anti-virus products. Then Wardle demonstrated a number of different circumvention techniques that centered around changing the malware’s signature to evade signature-based detection.

To that end, the repurposed malware (be it FruitFly, CreativeUpdate or Windtail) undergoes a second-stage modification in order to bypass macOS anti-malware defenses. In one example, Wardle showed how XProtect can be stumped simply by changing a single byte to the malware code or re-ordering or simply modifying binary instructions. In his demo, the malware breezed past XProtect mitigations.

“Oftentimes you just need to switch a few bytes, change the command line arguments and now – ‘power to the people’ – we have the ability to take these very sophisticated threats and redeploy them for our own surreptitious processes,” he said.

In one example targeting MRT, simply renaming malware component in FruitFly allowed it to sail past XProtect. That’s because MRT and other anti-malware defenses singled out by Wardle block malicious code based on a built-in signature scanner, not behavior.

“If we examine the embedded MRT FruitFly signature, we can see it’s detecting FruitFly based on both the path of the malware and its launch agent. This means as long as we change the path, or the name of the agent, MRT can’t detect it,” Wardle said.

His point, anti-malware protection needs to be based on behavior, not static signatures. Those behaviors include: persistence, unusual mic and camera operations, mysterious downloads and uploads, screen shots, evidence of a keylogger, synthetic clicks and file encryption.

“Hopefully, I’ve illustrated that by using these behavioral heuristics, we can generically detect even sophisticated Mac threats, even those that have been repurposed by advanced adversaries,” he said.

Black Hat USA 2019 has kicked off this week in Las Vegas. For more Threatpost breaking news, stories and videos from Black Hat and DEF CON, click here.

Suggested articles