Wednesday 2 October 16:00 - 16:30, Red room
Sergei Shevchenko (Sophos)
One of the fairly popular macOS bundleware exemplars presented in this research employs techniques that any seasoned threat researcher will find ... rather amusing. Not only does it employ anti-debugging, strings/API encryption and Mach-O runtime decompression techniques, its developers went as far as embedding a full backdoor component into the installer, granting it capabilities that extend way beyond what one might expect from a piece of installation software.
The power given to the installer practically enables full control over the target system. Even if this was done so that the company behind the installer had 'advanced analytics' or the ability to push any third-party software it wants, what happens if this power is abused?
Boasting 'millions of downloads' (whether this is true or not), this particular bundleware has potential access to a large number of Macs around the world. Given the amount of power it aggregates, it is a matter of duty for the security folks to have a closer look at this software.
In this research, we'll dive into the installer's Mach-O binary to demonstrate how it piggy-backs on 'non-lazy' Objective-C classes, the way it dynamically unpacks its code section in memory and decrypts its config. An in-depth analysis will reveal the structure of its engine and the full scope of its hidden backdoor capabilities, anti-debugging, VM evasion techniques and other interesting tricks that are so typical to the Windows malware scene, but which aren’t commonly found in the unwanted apps that claim to be clean, particularly on the Mac platform.
This talk will reveal practical hands-on tricks used in Mach-O binary analysis under a Hackintosh VM guest, using LLDB debugger and IDA Pro disassembler, along with a very interesting marker found during the analysis.
Curious to learn what that marker was? Willing to see how far the Mac-specific techniques evolved in relation to Windows malware?
Then this talk is for you.
DISCLAIMER: the software vendor won't be named; this research is entirely focused on technical aspects of the reverse-engineered software.
Sergei Shevchenko has more than 18 years of professional experience reverse engineering malware and is a recognized expert in his field. His analysis of high-profile malware attacks, including previous years' Bangladesh Bank heist, attacks on Polish and other banks, recent cyber espionage within managed service providers and ransomware attacks affecting thousands of vital service organizations globally, is the go-to information source for risk and technology officers and their teams around the world. At SophosLabs, Sergei manages a global team of cyber-threat researchers, focused on Android, Linux, and macOS platforms.
Martijn Grooten (Virus Bulletin)
Mika Ståhlberg (F-Secure)
Jamie Tomasello (Duo Security)
Paul Chichester (National Cyber Security Centre, UK)