Abstract
With macOS increasing popularity, the number, and variety of macOS malware are rising as well. Yet, very few tools exist for dynamic analysis of macOS malware. In this paper, we propose a macOS malware analysis framework called Mac-A-Mal. We develop a kernel extension to monitor malware behavior and mitigate several anti-evasion techniques used in the wild. Our framework exploits the macOS features of XPC service invocation that typically escape traditional mechanisms for detection of children processes. Performance benchmarks show that our system is comparable with professional tools and able to withstand VM detection. By using Mac-A-Mal, we discovered 71 unknown adware samples (8 of them using valid distribution certificates), 2 keyloggers, and 1 previously unseen trojan involved in the APT32 OceanLotus.
| Original language | English |
|---|---|
| Pages (from-to) | 249-257 |
| Number of pages | 9 |
| Journal | Journal of Computer Virology and Hacking Techniques |
| Volume | 15 |
| Issue number | 4 |
| Early online date | 19 Jun 2019 |
| DOIs | |
| Publication status | Published - Dec 2019 |
Funding
The project leading to this paper has received funding from the European Union’s Horizon 2020 research and innovation programme under Grant Agreement No 675320 (NeCS: European Network for Cyber Security). This work was also partially supported by Securify B.V.
| Funders | Funder number |
|---|---|
| Securify B.V. | |
| Horizon 2020 Framework Programme | 675320 |
Fingerprint
Dive into the research topics of 'Mac-A-Mal: macOS malware analysis framework resistant to anti evasion techniques'. Together they form a unique fingerprint.Cite this
- APA
- Author
- BIBTEX
- Harvard
- Standard
- RIS
- Vancouver