YARA-ing with MacOS
Contents
YARA-ing with MacOS
MacOS malware, and MACHO samples, represent the next frontier for many burgeoning threat intelligence professionals. Before we get started, this post cannot happen without referencing senpai Patrick Wardle. Read his blog on Objective-See, and read his dang book on the Art of Mac Malware (ITS FREE) since many of the techniques herein for triage and analysis are taken from his work.
this piece will focus much more on writing a good rule or two to track a particular malware family.
Today our specimen will be CloudMensis, first disclosed by ESET and also analyzed by Volexity, which attributed the family to APT37. We're going to look at the spyware component not the loader.
Lets start with binary refinery to read it in:
!emit /Users/glesnewich/Projects/Malware/APT37/CloudMensis/b8a61adccefb13b7058e47edcd10a127c483403cf38f7ece126954e95e86f2bd | peek
-------------------------------------------------------------------------------
01.393 MB; 74.47% entropy; Mach-O universal binary with 2 architectures: [x86_64:Mach-O 64-bit x86_64 executable, flags:<NOUNDEFS|DYLDLINK|TWOLEVEL|PIE>] [arm64:Mach-O 64-bit arm64 executable, flags:<NOUNDEFS|DYLDLINK|TWOLEVEL|PIE>]
-------------------------------------------------------------------------------
00000000: CA FE BA BE 00 00 00 02 …
MacOS malware, and MACHO samples, represent the next frontier for many burgeoning threat intelligence professionals. Before we get started, this post cannot happen without referencing senpai Patrick Wardle. Read his blog on Objective-See, and read his dang book on the Art of Mac Malware (ITS FREE) since many of the techniques herein for triage and analysis are taken from his work.
this piece will focus much more on writing a good rule or two to track a particular malware family.
Today our specimen will be CloudMensis, first disclosed by ESET and also analyzed by Volexity, which attributed the family to APT37. We're going to look at the spyware component not the loader.
Lets start with binary refinery to read it in:
!emit /Users/glesnewich/Projects/Malware/APT37/CloudMensis/b8a61adccefb13b7058e47edcd10a127c483403cf38f7ece126954e95e86f2bd | peek
-------------------------------------------------------------------------------
01.393 MB; 74.47% entropy; Mach-O universal binary with 2 architectures: [x86_64:Mach-O 64-bit x86_64 executable, flags:<NOUNDEFS|DYLDLINK|TWOLEVEL|PIE>] [arm64:Mach-O 64-bit arm64 executable, flags:<NOUNDEFS|DYLDLINK|TWOLEVEL|PIE>]
-------------------------------------------------------------------------------
00000000: CA FE BA BE 00 00 00 02 …