In February of 2019, researchers at Intego reported on a family of macOS malware they had newly discovered in the wild, which they named Shlayer. In November 2018, Carbon Black researchers saw an increase in infections from malware later identified to be Shlayer and began deeper investigation. The sites serving out this malware - mostly as fake Adobe Flash updates or malicious browser extensions - employed increasing levels of anti-analysis based on system and location fingerprinting to hinder harvesting of samples. Digging deeper into analysis, we found that these samples were signed with legitimate Apple developer IDs and used legitimate system applications via bash to conduct all installation activity, complicating detection. Furthermore, these samples were observed to achieve privilege escalation by use of the deprecated AuthorizationExecuteWithPrivileges API.
In this talk we will provide a technical overview of exemplary samples of Shlayer, including site discovery, distribution techniques, obfuscation, privilege escalation, and behavior. We will also discuss the difficulties of analyzing macOS malware, as traditional disassemblers aren't enlightened to the inner workings of Objective-C. To address this gap in malware analysis tooling, we will present newly developed plugins for Binary Ninja that improve Objective-C analysis, including structure recovery and rendering objc_msgSend calls in a more readable format. Finally, we will demonstrate how our toolset aided in analysis of the Shlayer malware family. These tools will be released to the public after the talk.
Presented at
Resources
Authors
- Erika Noerenberg, Senior Threat Researcher, Carbon Black
- Josh Watson