Patrick Wardle: Making the Old, New: repurposing macOS malware
December 9, 2019.
Patrick Wardle speaking at the Jailbreak Brewing Company Security Summit on Friday, October 11, 2019.
Whenever a new Mac malware specimen is uncovered, it provides a unique insight into the offensive Mac capabilities of hackers or nation-state adversaries. Better yet, such discoveries provide fully-functional capabilities that may be weaponized for our own surreptitious purposes! Life is short, why write your own?
We’ll begin this talk by discussing the methodology of subverting existing malware for “personal use”, highlighting both the challenges and benefits of such an approach.
Next, we’ll walk-thru the weaponization of various Mac malware specimens including: an interactive backdoor, a file-exfiltration implant, ransomware and a crypto-miner. Customizations include various configuration and runtime binary modifications that will coerce such malware to accept tasking from our own C&C servers, and/or automatically perform actions on our behalf.
Of course, in their pristine state, such samples are currently blocked by macOS and/or detected by AV products. As such we’ll also walk-thru subtle modifications that will ensure our modified specimens remains undetected by traditional detection approaches.
In conclusion, we’ll highlight novel heuristic methods that can generically detect such threats to ensure Mac users remain protected even from such weaponized threats.