Starting with introductory topics such as infection vectors, persistence mechanisms, and payloads, this content-packed volume also covers in detail, the tools & techniques needed to comprehensively analyze malware targeting Apple's desktop OS.
Front Matter
-
-
The front matter of the book includes a table of contents, acknowledgements, introduction and a forward (by the noted macOS researcher/author Jonathan Levin).
Read Chapter »
Part I: Mac Malware Basics
-
-
Before we dive into advanced malware analysis topics, it is important that you understand the fundamentals of Mac malware.
In the first part of this book, we'll explore these basics, including: infection vectors, methods of persistence, and capabilities.
Read Chapter »
Chapter 1: Infection Vectors
-
-
A malware's infection vector is the means by which it gains access to a system. Throughout the years, malware authors have relied on mechanisms ranging from simple social engineering tricks to advanced, remote zero-day exploits to infect Macs.
In this chapter, we'll discuss many of the most common techniques used by Mac malware authors.
Read Chapter »
Chapter 2: Persistence
-
-
Once malware has successfully gained access to a system, its next goal is usually to persist. Persistence is the means by which malware installs itself on a system to ensure it will automatically re-execute upon startup, user login, or some other deterministic event.
Though attackers regularly abuse only a small handful of these methods, we'll cover a myriad of surreptitious means by which malware can achieve persistence.
Read Chapter »
Chapter 3: Capabilities
-
-
When analyzing malware, it's often paramount to understand what happens after a successful infection. In other words, what does the malware actually do? Though the answer to this question will depend on a particular malware's goals, it may include surveying the system, escalating privileges, executing commands, exfiltrating files, ransoming user files, or even mining cryptocurrency.
In this chapter, we'll take a detailed look at the capabilities commonly found in Mac malware.
Read Chapter »
Part II: Mac Malware Analysis
-
-
Now that you understand Mac malware's infection vectors, persistence mechanisms, and capabilities, let's discuss how you can effectively analyze malicious samples.
We’ll cover both static and dynamic approaches:
Read Chapter »
Chapter 4: Nonbinary Analysis
-
-
This chapter focuses on the static analysis of "nonbinary" file formats, such as packages, disk images, and scripts, that you'll commonly encounter while analyzing Mac malware.
Read Chapter »
Chapter 5: Binary Triage
-
-
In this chapter, we'll continue our discussion of static analysis by focusing on Apple's native executable file format, the venerable Mach object file format (Mach-O).
As the majority of Mac malware is compiled into Mach-Os, all Mac malware analysts should understand the structure of these binaries, as at a minimum, this will allow you to differentiate the benign from the malicious.
Read Chapter »
Chapter 6: Disassembly and Decompilation
-
-
If you want to comprehensively understand a novel Mac malware specimen, you'll need a foundational understanding of assembly code, as well as an ability to leverage sophisticated binary analysis tools.
In this chapter, we'll first discuss assembly language basics and then move on to the static analysis approaches of disassembly and decompilation. We'll conclude by applying these analysis approaches with Hopper, a popular reversing tool capable of reconstructing binary code in a human- readable format.
Read Chapter »
Chapter 7: Dynamic Analysis Tools
-
-
When analyzing a malicious sample, it may be more efficient to simply execute the item and passively observe its behavior and actions.
This is especially true when malware authors have implemented mechanisms designed specifically to complicate or even thwart static analysis, such as encrypting embedded strings and configuration information or dynamically loading more code at runtime.
Read Chapter »
Chapter 8: Debugging
-
-
The ultimate dynamic analysis tool is the debugger. A debugger is a program that allows you to execute another program instruction by instruction. At any time, you can examine or modify its registers and memory contents, manipulate control flow, and much more.
In this chapter, I'll introduce various debugging concepts by means of the de facto debugger for macOS: LLDB.
Read Chapter »
Chapter 9: Anti-Analysis
-
-
In the previous chapters, we leveraged both static and dynamic analysis methods to uncover malware's persistence mechanisms, core capabilities, and most closely held secrets. Of course, malware authors are not happy about their creations being laid bare for the world to see. Thus, they often seek to complicate analysis by writing anti- analysis logic or other protection schemes.
In this chapter we'll discuss anti-analysis approaches common among macOS malware authors.
Read Chapter »
Part III: Analyzing EvilQuest
-
-
It's time to put the universal adage "practice makes perfect" into, well, practice.
In Part III of this book, you'll apply all that you've learned in Parts I and II to thoroughly analyze the intriguing Mac malware specimen known as EvilQuest.
Read Chapter »
Chapter 10: EvilQuest's Infection, Triage, and Deobfuscation
-
-
EvilQuest is a complex Mac malware specimen. Because it employs anti-analysis logic, a viral persistence mechanism, and insidious payloads, it's practically begging to be analyzed. Let's apply the skills you've gained from this book to do just that!
This chapter begins our comprehensive analysis of the malware by detail- ing its infection vector, triaging its binary, and identifying its anti-analysis logic.
Read Chapter »
Chapter 11: EvilQuest's Persistence and Core Functionality
-
-
Now that we've triaged the EvilQuest specimen and thwarted its anti-analysis logic, we can continue our analysis.
In this chapter we'll detail the malware's methods of persistence, which ensure it is automatically restarted each time an infected system is rebooted. Then we'll dive into the myriad of capabilities supported by this insidious threat.
Read Chapter »
End Matter
-
-
The book's end matters contains its index, and more.
Read Chapter »