Introduction

Do Macs even get malware? If we’re to believe an Apple marketing claim once posted on Apple.com, apparently, no:

[Mac] doesn’t get PC viruses. A Mac isn’t susceptible to the thousands of viruses plaguing Windows-based computers. That’s thanks to built-in defenses in Mac OS X that keep you safe without any work on your part.¹

Of course, this statement was rather deceptive and to Apple’s credit has long been removed from their website. Sure, there may be a kernel of truth in it; due to inherent cross-platform incompatibilities (not Apple’s “defenses”), a native Windows virus cannot typically execute on macOS. But cross-platform malware has long targeted both Windows and macOS. For example, in 2019 Windows adware was found packaged with a cross-platform framework that allowed it to run on macOS.²

Regardless of any marketing claims, Apple and malware have a long history of coexisting. In fact, Elk Cloner, the first “wild virus for a home computer,” infected Apple operating systems.³ Since then, malware targeting Apple computers has continued to flourish. Today it’s no surprise that Mac malware is an ever-growing threat to both end users and enterprises.

There are many reasons for this trend, but one simple reason is that as Apple’s share of the global computer market grows, Macs become an ever more compelling target to opportunistic hackers and malware authors. According to Gartner, Apple shipped over 6 million Macs in the second quarter of 2021 alone.⁴ In other words, more Macs means more targets for more Mac malware.

Moreover, although we often think of Macs as primarily consumer-focused machines, their presence in the enterprise is rapidly increasing. A report from early 2020 that studied this trend notes that Apple’s systems are now in use “across the Fortune top 500.”⁵ Such an increase unfortunately also begets an increase in sophisticated malware designed specifically to target the macOS enterprise, for purposes such as industrial espionage.

And although Apple’s market share still largely lags Microsoft’s, some research indicates that malicious threats target Macs equally, if not more. For example, Malwarebytes noted the following in their “2020 State of Malware Report”:

And for the first time ever, Macs outpaced Windows PCs in number of threats detected per endpoint.⁶

An interesting trend, and one that aligns with the ever-growing popularity of macOS, is attackers porting their Windows malware to macOS so that it will run natively on Apple’s desktop platform. In fact, in 2020 over half of the newly discovered, unique macOS malware “species” originated on Windows or a non-macOS platform.⁷ Recent examples of malware specimens that now have macOS variants include Mami, Dacls, FinSpy, IPStorm, and GravityRAT.

And why wouldn’t malware authors port their Windows or Linux malware to macOS? Such malware is already feature-complete and tested in the wild on the other operating systems. By taking this malware and either porting it to (or simply recompiling it for) macOS, attackers immediately gain compatibility with a whole new set of targets.

On the flip side, attackers also appear to be investing in macOS-specific malware. For example, a report from 2020 highlights the growing number of Mac-specific malware attacks created by highly knowledgeable macOS hackers:

All of the samples reviewed above have appeared in the last eight to ten weeks and are evidence that threat actors . . . are themselves keeping up-to-date with the Apple platform. These are not actors merely porting Windows malware to macOS, but rather Mac-specific developers deeply invested in writing custom malware for Apple’s platform.⁸

As illustrated in the following examples, these developments have led to an increase in the sophistication of attacks and malware used against macOS and its users.

Use of zero-days

1. In a write-up titled “Burned by Fire(fox): a Firefox 0day Drops a macOS Backdoor,” I wrote about how attackers leveraged a Firefox zero-day to persistently deploy a persistent macOS implant.⁹

   In another report that analyzed a different piece of macOS malware, TrendMicro researchers noted,

   We have discovered an unusual infection . . . Most notable in our investigation is the discovery of two zero-day exploits: one is used to steal cookies via a flaw in the behavior of Data Vaults, another is used to abuse the development version of Safari.¹⁰

Sophisticated targeting

1. In a recent attack by the WindShift APT group, researchers noted that “WINDSHIFT was observed launching sophisticated and unpredictable spear-phishing attacks against specific individuals and rarely targeting corporate environments.”¹¹

   In another case, researchers at Google uncovered an attack specifically “targeting visitors to Hong Kong websites for a media outlet and a prominent pro-democracy labor and political group.”¹² Attributed to nation-state attackers, the attack (which also leveraged a zero-day exploit) sought to surreptitiously infect macOS users whose political views diverged from those in power.

Advanced stealth techniques

1. In a report on a recent Lazarus APT Group macOS implant, I noted that the group’s capabilities continue to evolve, as evidenced in “a new sample with the ability to remotely download and execute payloads directly from memory,” thus thwarting various file-based security tools.”¹³

   In “FinFisher Filleted,” yet another write-up on a piece of sophisticated macOS malware, I discussed the use of a kernel-level rootkit component. I noted that the rootkit “contains the logic to remove the target process of interest, by unlinking it from the (process) list. Once removed, the process is now hidden.”¹⁴

Bypassing recent macOS security features

1. In a detailed report, “All Your Macs Are Belong To Us,” on a vulnerability now patched as CVE-2021-30657, I wrote about how malware was exploiting this flaw to run unsigned and unnotarized code, “bypassing all File Quarantine, Gatekeeper, and Notarization requirements.”¹⁵

   Recently I analyzed another piece of macOS malware that had been inadvertently notarized by Apple. As discussed in my analysis, once notarized, “these malicious payloads are allowed to run . . . even on macOS Big Sur.”¹⁶

The cause of this increased attack sophistication is up for debate: Does it come in response to Mac users becoming more threat-savvy (read: less naive)? Or is it due to the increased availability of advanced macOS security tools, an improvement to the core security of macOS, or a combination thereof?

Let’s conclude this section with a well-articulated statement from a Kaspersky “Threats to macOS users” report, which sums up the Macs versus malware debate:

Our statistics concerning threats for macOS provide fairly convincing evidence that the stories about this operating system’s complete safety are nothing more than that. However, the biggest argument against the idea that macOS (and iOS as well) is invulnerable to attack is the fact that there already have been attacks against individual users of these operating systems and groups of such users. Over the past few years, we have seen at least eight campaigns whose organizers acted on the presumption that the users of MacBook, iPhone, and other devices do not expect to encounter malware created specifically for Apple platforms.¹⁷

All in all, it’s clear that Mac malware is here to stay—in increasingly sophisticated and insidious ways.

Who Should Read This Book?

You! If you’re holding this book in your hands, by all means keep reading. While a basic understanding of cybersecurity fundamentals, or even malware basics, may help you get the most out of this book, they are not prerequisites. That said, this book was written with particular groups in mind, including, but not limited to:

• Students: As an undergraduate studying computer science, I possessed a keen interest in computer viruses and yearned for a book such as this one. If you are working toward a technical degree and are interested in learning more about malware, perhaps to enhance or complement your studies, this book is for you.
• Windows malware analysts: My career as a malware analyst began at the NSA, where I studied Windows-based malware and exploits that targeted US military systems. When I left the agency, I began studying macOS threats but encountered a lack of resources on the topic. In some sense, this book aims to fill this gap. So if you’re a Windows malware analyst seeking to understand how to analyze threats targeting macOS systems, this book is for you.
• Mac system administrators: Largely gone are the days of the homogenous Windows-based enterprise. Today, Macs in the enterprise are ever more commonplace. This has given rise to dedicated Mac system administrators and (unfortunately) malware authors focused on enterprise systems running macOS. If you are a Mac system administrator, it is imperative that you understand the threats targeting the systems you seek to defend. This book aims to provide such an understanding (and much more).

What You’ll Find in This Book

Comprehensively analyzing Mac malware requires an understanding of many topics and the mastery of many skills. To cover these in a hands-on manner, this book is divided into three parts.

In Part 1, Mac Malware Basics, we’ll cover foundational topics, including Mac malware’s infection vectors, methods of persistence, and capabilities.

In Part 2, Mac Malware Analysis, we’ll transition into more advanced topics, such as static and dynamic analysis tools and techniques. The former involves examining a sample without executing it using various tools. Static analysis often finishes with a disassembler or decompiler. Dynamic analysis is the analysis of a malicious sample while it is executing, using passive monitoring tools as well as a debugger.

In Part 3, Analyzing EvilQuest, you’ll apply all that the book has taught you by walking through a thorough analysis of a complex Mac malware specimen, EvilQuest. This hands-on section illustrates how you, too, can analyze even sophisticated malware specimens.

Armed with this knowledge, you’ll be well on your way to becoming a proficient Mac malware analyst.

A Note on Mac Malware Terminology

Oxford Languages defines malware as follows:

Software that is specifically designed to disrupt, damage, or gain unauthorized access to a computer system.¹⁸

You can think of malware simply as any software written with malicious intent.

As with anything in life, there are always shades of gray. For example, consider adware that has been packaged with shareware and installed only after a user clicks “allow” without reading a long agreement. Is this considered malware? The adware authors would argue no; they might go as far as claiming their software provides a service to the user, such as ads of interest. This argument might seem absurd, but even the antivirus industry refers to such software as “potentially unwanted software” in an attempt to avoid legal challenges.

In the context of this book, such classifications are largely irrelevant, as my goal is to provide you with the tools and techniques to analyze any program, binary, or application, regardless of its malicious nature.

A Note on Safely Analyzing Malware

This book demonstrates the use of many hands-on techniques for analyzing Mac malware. In Part 3 of the book, you can even follow along in an analysis of a malware specimen called EvilQuest. But because malware is malicious, it should be handled with the utmost of care.

As malware analysts, we’ll often want to purposely run the malware during the course of our research. By executing the malware under the watchful eye of various dynamic analysis and monitoring tools, we will be able to gain an understanding of how a malicious sample can infect a system and persistently install itself, and what payloads it then deploys. But, of course, this analysis must be done in a tightly controlled and isolated environment.

One approach is to use a standalone computer as a dedicated analysis machine. This machine should be set up in the most minimal of ways, with services such as file sharing disabled. In terms of networking, the majority of malware will require internet access to fully function (for example, to connect to a command and control server for tasking). Thus, this analysis machine should be connected to the network in some manner. At a minimum, it is recommended that network traffic be routed through a VPN to mask your location.

However, there are downsides to leveraging a standalone computer for your analysis, including cost and complexity. The latter becomes especially apparent if you want to revert the analysis system to a clean baseline state (for example, to re-run a sample, or when analyzing a new specimen). Though you could just reinstall the OS, or if using Apple File System (APFS), revert to a baseline snapshot, these are both rather time-consuming endeavors.

To address these drawbacks, you can instead leverage a virtual machine for your analysis system. Various companies, such as VMWare and Parallels, offer virtualized options for macOS systems. The idea is simple: virtualize a new instance of the operating system that can be isolated from your underlying environment and, most notably, reverted to its original state at the click of a button. To install a new virtual machine, follow the instructions provided by each vendor. This typically involves downloading an operating system installer or updater, dragging and dropping it into the virtualization program, and then clicking through the remaining setup.

Before performing any analysis, make sure you disable any sharing between the virtual machine and the base system. It would be rather unfortunate to run a ransomware sample, only to find that it had been able to encrypt files on your host system via shared folders! Virtual machines also offer options for networking, such as host-only and bridged. The former will allow only network connections with the host, which may be useful in various analysis situations, such as when you’re setting up a local command and control server.

As noted, the ability to revert a virtual machine to its original state can greatly speed up malware analysis by allowing you to revert to different stages in the process. First, you should always take a snapshot before you begin your analysis so that when the analysis is complete, you can bring the virtual machine back to a known clean slate. During your analysis session, you should also make judicious use of snapshots, such as just prior to allowing the malware to execute some core logic. If the malware fails to perform the expected action (perhaps because it detected one of your analysis tools and prematurely exited), or if your analysis tools failed to gather the data you required for your analysis, no problem. Simply revert to the snapshot, make any necessary changes to your analysis environment or tools, and then allow the malware to re-execute.

The main drawback to the virtual machine analysis approach is that malware may contain anti-VM logic. Such logic attempts to detect if the malware is running within a virtual machine. If the malware is able to successfully detect that it is being virtualized, it will often exit in an attempt to thwart continued analysis. See Chapter 9 for approaches to identifying and overcoming this logic and continuing your VM-based analysis unabated.

For more information about setting up an analysis environment, including the specific steps for setting up an isolated virtual machine, see “How to Reverse Malware on macOS Without Getting Infected.”¹⁹

Additional Resources

For further reading, I recommend the following resources.

Books

The following list contains some of my favorite books on topics such as reverse engineering, macOS internals, and general malware analysis:

• “macOS/iOS (*OS) Internals” trilogy, by Jonathan Levin (Technologeeks Press, 2017)
• The Art of Computer Virus Research and Defense by Peter Szor (Addison-Wesley Professional, 2005)
• Reversing: Secrets of Reverse Engineering by Eldad Eilam (Wiley, 2005)
• OS X Incident Response: Scripting and Analysis by Jaron Bradley (Syngress, 2016)

Websites

There used to be a dearth of information about Mac malware analysis online. Today, the situation has greatly improved. Several websites collect information on this topic, and blogs such as my very own Objective-See are dedicated to Mac security topics. The following is a non-exhaustive list of some of my favorites:

• https://papers.put.as/: A fairly exhaustive archive of papers and presentations on macOS security topics and malware analysis.
• https://themittenmac.com/: The website of the noted macOS security researcher and author, Jaron Bradley, that includes incident response tools and threat hunting knowledge for macOS.
• https://objective-see.com/blog.html: My blog, which for the last half decade has published my research and that of fellow security researchers on the topics of macOS malware, exploits, and more.

Downloading This Book’s Malware Specimens

If you want to delve deeper into the book’s material or follow along in a hands-on manner (which I highly recommend), the malware specimens referenced in this book are available for download from Objective-See’s online malware collection.²⁰ The password for the specimens in the collection is infect3d.

It’s worth reiterating that this collection contains live malware. Please don’t infect yourself! Or if you do, at least don’t blame me.

Endnotes

¹ Graham Cluley, “Macs and Malware—See how Apple has changed its marketing message,” Naked Security, June 14, 2012, https://nakedsecurity.sophos.com/2012/06/14/mac-malware-apple-marketing-message/.

² Emil Protalinski, “Cross-platform malware exploits Java to attack PCs and Macs,” ZDNet, May 1, 2012, https://www.zdnet.com/article/cross-platform-malware-exploits-java-to-attack-pcs-and-macs/; Don Ovid Ladores and Luis Magisa, “Windows App Runs on Mac, Downloads Info Stealer, Adware,” Trend Micro, February 11, 2019, https://blog.trendmicro.com/trendlabs-security-intelligence/windows-app-runs-on-mac-downloads-info-stealer-and-adware/.

³ “Elk Cloner,” The Virus Encyclopedia, http://virus.wikidot.com/elk-cloner/.

⁴ William Gallagher, “Gartner: Apple sold 1 million more Macs year over year in Q2,” AppleInsider, July 13, 2021, https://appleinsider.com/articles/21/07/13/gartner-apple-sold-1-million-more-macs-year-on-year-in-q2/.

⁵ Jonny Evans, “Mac adoption at SAP doubles as Apple enterprise reach grows,” Apple Must, February 3, 2020, https://www.applemust.com/mac-adoption-at-sap-double-as-apple-enterprise-reach-grows/.

⁶ “2020 State of Malware Report,” Malwarebytes Labs, February 2020, https://www.malwarebytes.com/resources/files/2020/02/2020_state-of-malware-report-1.pdf.

⁷ Patrick Wardle, “The Mac Malware of 2020,” Objective-See, January 1, 2021, https://objective-see.com/blog/blog_0x5F.html.

⁸ Phil Stokes, “Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform,” SentinelOne blog, July 27, 2020, https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/.

⁹ Patrick Wardle, “Burned by Fire(fox),” Objective-See, June 20, 2019, https://objective-see.com/blog/blog_0x43.html.

¹⁰ “XCSSET Mac Malware: Infects Xcode Projects, Uses 0Days,” Trend Micro, August 13, 2020, https://www.trendmicro.com/en_us/research/20/h/xcsset-mac-malware--infects-xcode-projects--uses-0-days.html.

¹¹ Taha K., “In the Trails of WindShift APT,” https://gsec.hitb.org/materials/sg2018/D1%20COMMSEC%20-%20In%20the%20Trails%20of%20WINDSHIFT%20APT%20-%20Taha%20Karim.pdf.

¹² Erye Hernandez, “Analyzing a watering hole campaign using macOS exploits,” Threat Analysis Group blog, Google, November 11, 2021, https://blog.google/threat-analysis-group/analyzing-watering-hole-campaign-using-macos-exploits/.

¹³ Patrick Wardle, “Lazarus Group Goes ‘Fileless’,” Objective-See, December 3, 2019, https://objective-see.com/blog/blog_0x51.html.

¹⁴ Patrick Wardle, “FinFisher Filleted: a triage of the FinSpy (macOS) malware,” Objective-See, September 26, 2020, https://objective-see.com/blog/blog_0x4F.html.

¹⁵ Patrick Wardle, “All Your Macs Are Belong To Us,” Objective-See, April 26, 2021, https://objective-see.com/blog/blog_0x64.html.

¹⁶ Patrick Wardle, “Apple Approved Malware: Malicious Code . . . Now Notarized!?” Objective-See, August 30, 2020, https://objective-see.com/blog/blog_0x4E.html.

¹⁷ “Threats to macOS users,” SecureList, September 11 , 2019, https://securelist.com/threats-to-macos-users/93116/#malicious-and-unwanted-programs-for-macos/.

¹⁸ Definition from Oxford Languages, https://languages.oup.com/google-dictionary-en/, accessed by entering define: malware in Google.

¹⁹ “How to Reverse Malware on macOS Without Getting Infected,” SentinelOne, https://assets.sentinelone.com/macos-reverse/.

²⁰ Objective-See’s Mac Malware collection, https://objective-see.com/malware.html.