Mac-A-Mal: macOS malware analysis framework resistant to anti evasion techniques

Mac-A-Mal: macOS malware analysis framework resistant to anti evasion techniques

With macOS increasing popularity, the number, and variety of macOS malware are rising as well. Yet, very few tools exist for dynamic analysis of macOS malware. In this paper, we propose a macOS malware analysis framework called Mac-A-Mal. We develop a kernel extension to monitor malware behavior and...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:Journal of Computer Virology and Hacking Techniques 2019-12, Vol.15 (4), p.249-257
Hauptverfasser: Pham, Duy-Phuc, Vu, Duc-Ly, Massacci, Fabio
Format: Artikel
Sprache:eng
Schlagworte:
Computer Science
Malware
Original Paper
Online-Zugang:Volltext
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
Beschreibung
Zusammenfassung:With macOS increasing popularity, the number, and variety of macOS malware are rising as well. Yet, very few tools exist for dynamic analysis of macOS malware. In this paper, we propose a macOS malware analysis framework called Mac-A-Mal. We develop a kernel extension to monitor malware behavior and mitigate several anti-evasion techniques used in the wild. Our framework exploits the macOS features of XPC service invocation that typically escape traditional mechanisms for detection of children processes. Performance benchmarks show that our system is comparable with professional tools and able to withstand VM detection. By using Mac-A-Mal, we discovered 71 unknown adware samples (8 of them using valid distribution certificates), 2 keyloggers, and 1 previously unseen trojan involved in the APT32 OceanLotus.
ISSN:2263-8733
2263-8733
DOI:10.1007/s11416-019-00335-w