With macOS increasing popularity, the number, and variety of macOS malware are rising as well. Yet, very few tools exist for dynamic analysis of macOS malware. In this paper, we propose a macOS malware analysis framework called Mac-A-Mal. We develop a kernel extension to monitor malware behavior and mitigate several anti-evasion techniques used in the wild. Our framework exploits the macOS features of XPC service invocation that typically escape traditional mechanisms for detection of children processes. Performance benchmarks show that our system is comparable with professional tools and able to withstand VM detection. By using Mac-A-Mal, we discovered 71 unknown adware samples (8 of them using valid distribution certificates), 2 keyloggers, and 1 previously unseen trojan involved in the APT32 OceanLotus.

Mac-A-Mal: macOS malware analysis framework resistant to anti evasion techniques / Pham, Duy-Phuc; Vu Duc, Ly; Massacci, Fabio. - In: JOURNAL OF COMPUTER VIROLOGY AND HACKING TECHNIQUES. - ISSN 2274-2042. - ELETTRONICO. - 15:4(2019), pp. 249-257. [10.1007/s11416-019-00335-w]

Mac-A-Mal: macOS malware analysis framework resistant to anti evasion techniques

Vu Duc, Ly;Massacci Fabio
2019

Abstract

With macOS increasing popularity, the number, and variety of macOS malware are rising as well. Yet, very few tools exist for dynamic analysis of macOS malware. In this paper, we propose a macOS malware analysis framework called Mac-A-Mal. We develop a kernel extension to monitor malware behavior and mitigate several anti-evasion techniques used in the wild. Our framework exploits the macOS features of XPC service invocation that typically escape traditional mechanisms for detection of children processes. Performance benchmarks show that our system is comparable with professional tools and able to withstand VM detection. By using Mac-A-Mal, we discovered 71 unknown adware samples (8 of them using valid distribution certificates), 2 keyloggers, and 1 previously unseen trojan involved in the APT32 OceanLotus.
4
Pham, Duy-Phuc; Vu Duc, Ly; Massacci, Fabio
Mac-A-Mal: macOS malware analysis framework resistant to anti evasion techniques / Pham, Duy-Phuc; Vu Duc, Ly; Massacci, Fabio. - In: JOURNAL OF COMPUTER VIROLOGY AND HACKING TECHNIQUES. - ISSN 2274-2042. - ELETTRONICO. - 15:4(2019), pp. 249-257. [10.1007/s11416-019-00335-w]
File in questo prodotto:
File Dimensione Formato  
Pham2019_Article_Mac-A-MalMacOSMalwareAnalysisF.pdf

accesso aperto

Tipologia: Versione editoriale (Publisher’s layout)
Licenza: Creative commons
Dimensione 845.86 kB
Formato Adobe PDF
845.86 kB Adobe PDF Visualizza/Apri

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione

Utilizza questo identificativo per citare o creare un link a questo documento: http://hdl.handle.net/11572/251134
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 3
  • ???jsp.display-item.citation.isi??? 1
social impact