Analyzing state-sponsored malware on macOS
Contents
Malware analysis tools
Saljooki begins his talk explaining a possible setup of a malware analysis environment. Some tools he mentions are:
- MachOView and MachOExplorer to view macOS binaries
- Apparency to check code signing
- Hex Fiend, a hex editor
- Hopper Disassembler to dynamically debug, analyze and disassemble a binary
- LuLu for network monitoring
- Wireshark for network packet analysis
- And more!
Your environment can be virtual or “metal.” For the former, Saljooki mentions Virtual Buddy, while for the latter he mentions a dedicated Mac Mini or other Apple device.
VirusTotal and the Objective-See malware repositories offer malware samples for reference and comparison.
Lazarus APT group
The Lazarus advance persistent threat (APT) group is a North Korean state-sponsored group. While previously focused on Windows, they have extended their scope to macOS as it becomes more popular. They have been active since at least 2009, and are known for sophisticated cyber espionage and cyber crime campaigns, such as their …
Saljooki begins his talk explaining a possible setup of a malware analysis environment. Some tools he mentions are:
- MachOView and MachOExplorer to view macOS binaries
- Apparency to check code signing
- Hex Fiend, a hex editor
- Hopper Disassembler to dynamically debug, analyze and disassemble a binary
- LuLu for network monitoring
- Wireshark for network packet analysis
- And more!
Your environment can be virtual or “metal.” For the former, Saljooki mentions Virtual Buddy, while for the latter he mentions a dedicated Mac Mini or other Apple device.
VirusTotal and the Objective-See malware repositories offer malware samples for reference and comparison.
Lazarus APT group
The Lazarus advance persistent threat (APT) group is a North Korean state-sponsored group. While previously focused on Windows, they have extended their scope to macOS as it becomes more popular. They have been active since at least 2009, and are known for sophisticated cyber espionage and cyber crime campaigns, such as their …