Abstract
With macOS increasing popularity, the number, and variety of macOS malware are rising as well. Yet, very few tools exist for dynamic analysis of macOS malware. In this paper, we propose a macOS malware analysis framework called Mac-A-Mal. We develop a kernel extension to monitor malware behavior and mitigate several anti-evasion techniques used in the wild. Our framework exploits the macOS features of XPC service invocation that typically escape traditional mechanisms for detection of children processes. Performance benchmarks show that our system is comparable with professional tools and able to withstand VM detection. By using Mac-A-Mal, we discovered 71 unknown adware samples (8 of them using valid distribution certificates), 2 keyloggers, and 1 previously unseen trojan involved in the APT32 OceanLotus.
Highlights
Contrary to popular belief, the Mac ecosystem is not unaffected by malware
System Integrity Protection (SIP) is a built-in feature introduced in Open Source (OS) X El Captian to protect system files and directories against the modifications caused by non“entitlement” processes
We presented a hybrid malware analysis framework where static and dynamic analysis are combined to support the analysts
Summary
The Mac ecosystem is not unaffected by malware. In 2014, the first known ransomware appeared, and other ransomware has been discovered as Software-as-a-Service (SaSS), where malware is available as requests. The open source Mac-sandbox [2] is vulnerable to anti-analysis techniques such as Dylib name verification. Cuckoo sandbox [3] does not support anti-analysis mitigation and human interaction under the macOS environment. The closed source FireEye monitor use a kernel extension which is resistant to anti-analysis techniques, but requires human intervention. After a few days since our analysis reports have published on social media, may anti-virus vendors had updated their engines to be able to detect these unknown samples (Table 2). We review related literature on macOS malware analysis and detection in Sect. The anti-evasion techniques analysis and mitigation are presented in Sect. 5. Comparison of Mac-A-Mal and other dynamic analysis tools are conducted in Sect. 7, we show case studies of analyzing malware family based on our Mac-A-Mal. In Sect.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
