Research Centre

[Black Hat USA 2018 Arsenal] Learn How to Build Your Own Utility to Monitor Malicious Behaviors of Malware on macOS

This talk was presented by Kai Lu at Black Hat USA 2018 Arsenal. In this presentation, Kai Lu initially demonstrated FortiAppMonitor. FortiAppMonitor is a powerful utility to monitor kinds of behaviors of programs on macOS. The programs on macOS certainly contain normal programs and applications, as well as malware. As a malware analyst or security researcher, having a powerful dynamic analysis utility is vital to be effective and efficient. This utility enables users to understand malware capabilities and quickly analyze the malicious behaviors of malware targeting on macOS.


The landscape of macOS malware has changed dramatically in the past couple of years. Threats are becoming more complex, more varied, and more numerous. As a malware analyst or security researcher, having a powerful dynamic analysis utility is vital to be effective and efficient. This utility can enable users to understand malware capabilities and quickly analyze the malicious behaviors of malware.


Want to know how to build your own arsenal? This talk details the implementation to monitor kinds of malicious behaviors of malware on macOS. The capabilities of the utility cover monitoring process execution with command line arguments and process exit, file system events (including all common file operations, such as open, read, write, delete, rename operations), dylib loading event, kext loading and unloading events, network activities (including UDP, TCP, ICMP, DNS query and response).


The Mandatory Access Control Framework is the substrate on top of which all of Apple's securities, both macOS and iOS, are implemented. This talk discusses how to monitor process execution, file system events, and dylib loading events using MACF on macOS. Next, the talk provides the details for monitoring network activities using Socket Filters. The utility can also record some basic info including process name, parent process name, pid, ppid, uid besides the specific details for each event. For DNS response, this utility can parse the data of DNS response and record the IP:URL mappings. 


The utility consists of two parts, one is the KEXT (core component) in kernel, the other one is a client program in user space, which involves the communication between kernel space and user space. After discussing some communication mechanisms,  the kernel control API is chosen. It is a socket-based API that allows us to communicate with and receive broadcast notifications from the KEXT. The client program is intended to receive the data from the KEXT and display it to users.


In this presentation, Kai provides an advanced solution to monitor kinds of malicious behaviors of malware in kernel on macOS.  Then all involved key technical details are provided for the implementation of monitoring all common malicious behaviors of malware on macOS. This utility is designed to dynamically analyze the malicious behaviors of malware on macOS, helping analysts or security researchers more efficiently analyze malware. Based on this talk, you can build your own utility for fun!

References