Please note that index links to approximate location of each term.
A
Abbati, Arnaud, 117
ABI (application binary interface), 128
Activity Monitor tool, 64
adware
adware-related hijacks and injections, 54–56
Bitdefender Adware Removal Tool, 49
Crossrider, 43
Pitchofcase, 40
aevt_decompile
decompiler, 87
Amnesty International, 63
analysis. See dynamic analysis; static analysis
analysis tool detection
targeting security tools, 208–209
analyzing EvilQuest malware
command line parameters, 231–233
extracting embedded information, 229–231
file encryption logic, 275–277
file exfiltration logic, 271–275
local viral infection logic, 253–263
remote communications logic, 263–271
Suspicious Package utility, 225–228
analyzing scripts
anti-dynamic-analysis approaches, 204–216
anti-static-analysis approaches, 188–204
environmentally generated keys, 216–217
debugging-thwarting logic, 234–238
virtual machine-thwarting logic, 233–234
overview, 187
anti-dynamic-analysis approaches
analysis tool detection, 208–211
targeting security tools, 208–209
execution environment, modifying, 213
modifying instruction pointer, 214–215
modifying register value, 216
patching binary image, 213–214
virtual machine detection, 204–207
counting logical and physical CPUs, 206
MAC address, checking, 207
SIP status, 208
system model name, checking, 205–206
anti-infection protection mechanisms
application notarization requirements, 4–5
File Quarantine, 4
Gatekeeper, 4
anti-static-analysis approaches
code-level obfuscations, 199–204
string-based obfuscation, 188–199
finding deobfuscation code, 193–194
forcing malware to execute decryption routine, 197–199
locating obfuscated strings, 191–192
sensitive strings disguised as constants, 188–189
append_ei
function, EvilQuest malware, 257–259
Apple Disk Images (.dmg), 72
AppleJeus malware, 75–76, 135, 151–152
application binary interface (ABI), 128
application bundles
Contents/_CodeSignature file, 93
Contents/ directory, 93
Contents/Info.plist file, 93–95
Contents/MacOS directory, 93
Contents/Resources directory, 93
defined, 91
applications
application notarization requirements, 4–5
Art of Computer Virus Research and Defense, The (Szor), 253
defined, 126
instructions, 127
objc_msgSend
function, 128–130
overview, 126
assembly (ASM) mode, Hopper, 146
B
backtrace
command, LLDB debugger, 175
binary analysis
extracting nonbinary components, 116–122
Mach-O binary file format, 99–114
tools used to build binaries, 115–116
BirdMiner malware, 10, 56, 155–156
BitcoinMagazine-Quidax _InterviewQuestions_2018 document, 51
Bitdefender Adware Removal Tool, 49
breakpoint
command, LLDB debugger, 174
breakpoint delete
command, LLDB debugger, 174
breakpoint enable/disable
command, LLDB debugger, 174
breakpoint list
command, LLDB debugger, 174
breakpoint modify
command, LLDB debugger, 174
breakpoints
conditionally triggering, 172–173
defined, 170
managing, 174
setting on method names, 172
brute-forcing, 17
__bss
section, Mach-O binary __DATA
segment, 106
Bundlore malware, 117
C
calling conventions, assembly, 127–128
capabilities
adware-related hijacks and injections, 54–56
defined, 1
privilege escalation
remote process, 58
carve_target
function, EvilQuest malware, 276
certificate file exfiltration, 272–275
CFG (control flow graph) mode, Hopper, 146
CFStringGetCString
function, 137
Checkm8 exploit, 20
code-level obfuscations
defined, 188
code-signing authorities, 109
Cohen, Frederick, 253
ColdRoot malware, 154
commands, adding to breakpoints, 173–174
construct_plist_path
function, EvilQuest malware, 251
__const
section, Mach-O binary __TEXT
segment, 106
Contents/_CodeSignature file, 93
Contents/ directory, 93
Contents/Info.plist file, 93–95
Contents/MacOS directory, 93
Contents/Resources directory, 93
continue
command, LLDB debugger, 169
control flow disassembly, 137–139
control flow graph (CFG) mode, Hopper, 146
cputype
member, Mach-O header, 101
CreativeUpdate malware, 16, 56, 109, 117–118
cross-references, Hopper, 144–145
Crossrider adware, 43
cryptocurrency
cryptocurrency file exfiltration, 272–275
uncovering cryptocurrency mining in App Store app, 180–185
_cstring
section, Mach-O binary __TEXT
segment, 106
CTRL-C
command, LLDB debugger, 169
Cylance antivirus firm, 59
D
Dacls backdoor malware, 133–134, 159–160
DarthMiner malware, 56
__data
section, Mach-O binary __DATA segment
, 106
__DATA
segment, Mach-O binary file format, 104, 107
dataWithBytes:length:
method, Objective-C disassembly, 130
debugging
controlling execution, 169–170
displaying runtime information, 174–176
modifying process state, 176–178
overview, 165
uncovering cryptocurrency mining in App Store app, 180–185
debugging-thwarting logic, 234–238
Decompiler tool, 80
DevilRobber malware, 84
directory listing exfiltration, 271–272
disassembly
display modes, Hopper, 145–146
distribution packaging, extracting malicious files from
Apple Disk Images, 72
.dmg (Apple Disk Images) file extension, 72
Dok malware, 5
DoubleFantasy malware, 194–196
Dummy malware, 57
dumping (printing), debugging process, 166–167, 174
DYLD_*
environment variables, 35–36
dylibs. See dynamic libraries
dynamic analysis
overview, 165
uncovering cryptocurrency mining in App Store app, 180–185
defined, 67
network status monitors, 158–159
network traffic monitors, 160–163
ProcessMonitor utility, 151–153
dynamic libraries (dylibs), 34–39
DYLD_*
environment variables, 35–36
E
EFI (Extensible Firmware Interface) exploits, 20
ei_carver_main
function, EvilQuest malware, 275
ei_forensic_sendfile
function, EvilQuest malware, 274
ei_forensic_thread
function, EvilQuest malware, 271
ei_loader_main
function, EvilQuest malware, 254
ei_pers_thread
function, EvilQuest malware, 252
ei_rfind_cnc and ei_getip
function, EvilQuest malware, 281
ei_selfretain_main
function, EvilQuest malware, 249–250
ei_str
function, EvilQuest malware, 239–240
8-bit registers, 127
eiht_get_update
function, EvilQuest malware, 262–263
embedded information, extracting, 229–231
Endpoint Security framework, 151
environmentally generated keys, 216–217
Equation Group, 217
ESET antivirus company, 10
Esser, Stefan, 54
event monitor rules, 41
EvilQuest malware, 43, 52, 62, 215
analyzing
command line parameters, 231–233
extracting embedded information, 229–231
file encryption logic, 275–277
file exfiltration logic, 271–275
local viral infection logic, 253–263
remote communications logic, 263–271
Suspicious Package utility, 225–228
invoking string decryption routine, 197–199
certificate and cryptocurrency exfiltration, 272–275
directory listing exfiltration, 271–272
exploits
defined, 18
Extensible Firmware Interface (EFI) exploits, 20
externally facing services, 17–18
F
fake updates, 7
fat_header
, Mach-O header, 102
52M_rj
function, EvilQuest malware, 278
file
command
identifying byte-compiled Python script with, 70–71
identifying Office documents, 89
file encryption logic, 61–62, 275–277
file exfiltration logic, EvilQuest malware analysis
certificate and cryptocurrency file exfiltration, 272–275
directory listing exfiltration, 271–272
file monitoring
File Quarantine, 4
filetype
member, Mach-O header, 101
file
utility, 228
EvilQuest malware, 223
Mach-O header, 103
WindTail malware, 71
FindCrypt plug-in, 194
FinFisher malware, 172
finish
command, LLDB debugger, 169
FinSpy, 63
FireEye, 53
Flashback malware, 18
Flash zero-day, 19
FruitFly malware, 17, 64, 88–89, 151
G
garbage (spurious) instructions, 200
Gatekeeper, 4
get_mediator
function, EvilQuest malware, 263–265
get_targets
function, EvilQuest malware, 254, 272–274, 275
getDeviceSerial
function, 135–136, 137, 139
GMERA, 63
Grant, Ari, 172
H
HackingTeam cyberespionage company, 19
Handbrake application, 16
handlers, AppleScript, 87
header, Mach-O binary file format, 100–103
cputype
member, 101
fat_header
, 102
filetype
member, 101
file
utility and, 103
offset
member, 102
otool
utility and, 101
hexadecimal mode, Hopper, 146
-h
flag, Mach-O header, 101
Homebrew package manager, 6
Proc view, 142
reverse engineering with, 140–146
creating binary to analyze, 140–141
loading binary, 141
string-based obfuscation via Hopper script, 194–196
Str view, 142
hostname
command, 89
--ignrp
command line parameter, EvilQuest malware, 233
I
infection vectors
anti-infection protection mechanisms, 4–5
defined, 1
externally facing services, 17–18
fake updates, 7
physical attacks, 19
supply chain attacks, 16
Info.plist file
defined, 11
Inspector view, Hopper, 141–142
Intego security company, 7
interactive shells, 57
IOServiceGetMatchingService function, 136–137
Iran Threats blog, 49
is_debugging
function, EvilQuest malware, 235–236
is_executable
function, EvilQuest malware, 255–257
iWorm malware, 10
J
jobs, 33
K
KeRanger ransomware, 61, 213–215
keychains, 49
kill _unwanted
function, EvilQuest malware, 244
KnockKnock open source utility, 44–45
Komplex malware, 58, 130, 138, 210
L
Lazarus Group, 58, 61, 91, 133, 217
AppleJeus, 75–76, 135, 151–152
Dacls backdoor malware, 133–134, 159–160
LC_LOAD_DYLIB
load command, Mach-O binary file format, 105–106
LC_MAIN
load command, Mach-O binary file format, 104–105
LC_SEGMENT_64
load command, Mach-O binary file format, 104
lfsc_dirlist
function, EvilQuest malware, 272
__LINKEDIT
segment, Mach-O binary file format, 104
lipo
tool, Mach-O header, 102–103
Little Snitch firewall, 49, 209
LLDB debugger
conditionally triggering, 172–173
defined, 170
managing, 174
setting on method names, 172
controlling execution, 169–170
examining runtime information, 174–176
modifying process state, 176–178
load commands, Mach-O binary file format
LC_SEGMENT_64
, 104
local viral infection logic
checking which files to infect, 255–257
EvilQuest malware analysis, 253–263
executing original code of infected file, 262–263
executing and repersisting from infected files, 260–262
infecting target files, 257–260
listing candidate files for infection, 254
login/logout hooks, 34
LoudMiner malware, 10
lsof
utility, 159
M
Mach-O binary file format, 76, 95
code-signing information, 109–111
Objective-C class information, 113–114
cputype
member, 101
fat_header
, 102
filetype
member, 101
file
utility and, 103
offset
member, 102
otool
utility and, 101
LC_SEGMENT_64
, 104
__DATA
segment, 107
__TEXT
segment, 107
__LINKEDIT
segment, 104
MachOView utility, 101
mach port, 136
macros
magic
member, Mach-O header, 100–101
Malwarebytes, 54
Mami malware, 166
memory write
command, LLDB debugger, 177–178
MH_BUNDLE (0x8)
value, Mach-O header, 101
MH_DYLIB (0x6)
value, Mach-O header, 101
MH_EXECUTE (0x2)
value, Mach-O header, 101
MinerGate, 118
mnemonics, assembly instructions, 127
Mughthesec malware, 54, 207, 213
N
Netcat utility, 150
Netiquette utility, 60, 159–160
netstat
utility, 158
nettop
utility, 158
network monitoring
network status monitors, 158–159
network traffic monitors, 160–163
nexti
command, LLDB debugger, 169
nm
utility, EvilQuest malware, 229
nonbinary analysis
extracting malicious files from distribution packaging, 72–76
Apple Disk Images, 72
non-interactive shells, 57
nonoperations (NOPs), 200
NSData
class method, Objective-C disassembly, 131–132
NSTask
launch method, 134
Nygard, Steve, 113
O
obfuscated strings
EvilQuest malware, 197–199, 238–242
__objc_*
section, Mach-O binary __DATA
segment, 106
objc_msgSend
function, 172, 178–179, 182–183, 193
Swift disassembly, 133
Objective-C disassembly, 130–133
Office macros
offset
member, Mach-O header, 102
operands, 127
organizationally unique identifier (OUI), 207, 213
osadecompile
command, 82
OS X Leopard, 4
OS X Mountain Lion, 4
OUI (organizationally unique identifier), 207, 213
P
patch binary
disassembling, 231
extracting embedded information from, 229–231
persist_executable_frombundle
function, EvilQuest malware, 261
persist_executable
function, EvilQuest malware, 246
persistence
application and binary modifications, 42–43
DYLD_*
environment variables, 35–36
event monitor rules, 41
EvilQuest malware analysis, 243–252
copies as launch items, 247–249
killing unwanted processes, 244–246
starting launch items, 249–252
KnockKnock open source utility, 44–45
login/logout hooks, 34
at jobs, 33
scripts, 41
physical attacks, 19
Pirate Bay website, 10
Pirrit malware, 102, 200–201, 208
Pitchofcase adware, 40
pkgutil
utility, EvilQuest malware, 225
Platypus tool, 76–77, 115, 117–118
prevent_trace
function, EvilQuest malware, 237–238
print
command, LLDB debugger, 175
printing (dumping), debugging process, 166–167, 174
privilege escalation
process monitoring
ProcessMonitor utility, 151–153
Proc view, Hopper, 142
Proton malware, 16, 49, 208–209
pseudocode mode, Hopper, 146
ptrace
system call, preventing debugging with, 210–211
PyInstaller Extractor tool, 119
R
ransomware. See also EvilQuest malware
defined, 23
KeRanger ransomware, 61, 213–215
RBP
register, 127
react_exec
function, EvilQuest malware, 266–267
react_host
function, EvilQuest malware, 270
react_keys
function, EvilQuest malware, 269
react_ping
function, EvilQuest malware, 270, 280
react_sav
function, EvilQuest malware, 268
react_scmd
function, EvilQuest malware, 270–271
react_start
function, EvilQuest malware, 268
react_updatesettings
function, EvilQuest malware, 281
Reaves, Jason, 277
Reed, Thomas, 43, 54, 207, 222
registers
R8
register, 269
R9
register, 183
RAX
register, 31, 126–128, 130–131, 136–137, 175–177, 190, 200, 211, 216, 236, 248, 239
RBP
register, 127
RSI
register, 131–132, 129, 136–137, 179–180, 193
RSP
register, 127
modifying register value, 216
“scratch,” 136
register write
command, LLDB debugger, 176–177
remote communications logic, EvilQuest malware analysis
get_mediator
function, 263–265
remote process, 58
remote services, compromising, 17–18
remote tasking logic, EvilQuest malware, 265–271
react_host
function, 270
react_keys
function, 269
react_ping
function, 270
react_sav
function, 268
react_start
function, 268
repersistence logic, EvilQuest malware analysis, 252–253
reverse engineering
creating binary to analyze, 140–141
loading binary, 141
Riordan, James, 217
RSI
register, 131–132, 129, 136–137, 179–180, 193
RSP
register, 127
run_audio and run_image
function, EvilQuest malware, 281
run_daemon
function, EvilQuest malware, 250–251
run_target
function, EvilQuest malware, 262–263
run
command, LLDB debugger, 169
run-only AppleScript files, 84–87
runtime information, displaying, 174–176
S
s_is_high_time
function, EvilQuest malware, 275
scheduling mechanisms
at jobs, 33
Schneier, Bruce, 217
“scratch” registers, 136
scripts, 41
scutil
command, 89
segments, Mach-O binary file format, 106–107
__DATA
segment, 107
__TEXT
segment, 107
__LINKEDIT
segment, 104
set_important_files
function, EvilQuest malware, 252–253
setLaunchPath:
method, Swift disassembly, 133
signing certificate, 109
--silent
command line parameter, EvilQuest malware, 231–232
SIP (System Integrity Protection) status, 169, 208
16-bit registers, 127
64-bit registers, 127
spurious (garbage) instructions, 200
stack, defined, 127
static analysis
extracting nonbinary components, 116–122
Mach-O binary file format, 99–114
tools used to build binaries, 115–116
defined, 67
extracting malicious files from distribution packaging, 72–76
reverse engineering with Hopper, 140–146
stepi
command, LLDB debugger, 169
stepping through, debugging process, 166
string-based obfuscation
defined, 188
finding deobfuscation code, 193–194
forcing malware to execute decryption routine, 197–199
locating obfuscated strings, 191–192
sensitive strings disguised as constants, 188–189
strings
extracting embedded strings, 112–113
obfuscated strings
EvilQuest malware, 197–199, 238–242
strings
utility
Str view, Hopper, 142
sudoers file, 54
supply chain attacks, 16
Suspicious Package utility, 73–75, 225–228
System Integrity Protection (SIP) status, 169, 208
Szor, Peter, 253
T
tcpdump
utility, 160
team identifier, 109
__TEXT
segment, Mach-O binary file format, 104, 106–107
ThiefQuest malware, 278. See also EvilQuest malware
32-bit registers, 127
Thomas, Adam, 54
Tor utility, 150
typosquatting, 6
U
universal binaries, 102
user-assisted infections. See also infection vectors
anti-infection protection mechanisms, 4–5
/usr/bin/osascript
command, AppleScript, 82
V
VBA (Visual Basic for Applications), 14
-v
flag, Mach-O header, 101
Vilaça, Pedro, 202
virtual machine detection
counting logical and physical CPUs, 206
MAC address, checking, 207
SIP status, checking, 208
system model name, checking, 205–206
virtual machine-thwarting logic, 233–234
viruses
checking which files to infect, 255–257
defined, 253
infected files
executing and repersisting from, 260–262
executing original code of, 262–263
infecting target files, 257–260
listing candidate files for infection, 254
VirusTotal antivirus scanning portal, 108
Visual Basic for Applications (VBA), 14
VMware, 207
VST Crack website, 10
W
Wacaw tool, 150
WhatsYourSign (WYS) tool, 71–73
whoami
command, 89
WindTail malware, 10–13, 59–61, 70, 91–95
key/value pairs, 94
Wireshark application, 161–163
writeconfig.xpc
service, 53
writeToFile:atomically:
method, Objective-C disassembly, 132
WYS (WhatsYourSign) tool, 71–73
X
XAgent malware, 114
x/b
command, LLDB debugger, 175
x/i
command, LLDB debugger, 175
x/s
command, LLDB debugger, 175
XSLCmd malware, 53
Y
Yort malware, 91
Z
ZuRu malware, 106