Article
To read the full-text of this research, you can request a copy directly from the authors.

Abstract

The continued rise of Apple's macOS in both the home and workplace has led to a significant rise in the capabilities of both malware and attacker toolkits that target the operating system and its users. Over the last several years there have been numerous documented instances of macOS users being targeted by governments, intelligence agencies, and criminal groups, and the end results of these attacks were the victims having highly sophisticated malware installed on their systems. Unfortunately, the rise of these threats has not been met with an equal research and development effort by the memory forensics community. This has led to a gap in automated analysis in memory forensic frameworks and has left inexperienced investigators with little chance of detecting the malware's presence. Even for experienced investigators, detection was still difficult in many circumstances and require significant manual investigation for a chance at success. This paper documents our research effort to close this gap through the development of novel memory forensic capabilities aimed at detecting advanced, real-world malware that targets macOS systems. This research was driven through analysis of numerous malware samples that were used as part of espionage and criminal attack campaigns, and the end result was three new Volatility plugins that automate the detection of such malware. By leveraging these plugins, investigators of all skill levels can detect macOS userland malware in an automated, scalable, and flexible manner.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

... 于登云等: 我国巨型星座操作系统发展研究 Windows [9] macOS [10] Linux [11] Object PC, server, etc. Apple series PC, etc. PC, server, etc. ...
... This is because memory forensics has the potential to provide more information about the current system state (i.e., most recent process activity and data versions) as opposed to analyzing images of persistent storage (e.g., hard disk drives or solid state drives). The most common applications of memory forensics include malware detection and inspection in main memory (e.g., Manna et al., 2022;Case et al., 2020;Manna et al., 2021). ...
Article
Memory analysis is a digital forensics technique whose goal is to model a computer system's state based solely on the analysis of a snapshot of physical memory (RAM). Memory forensics is frequently employed in incident response to detect and analyze modern malware and attack frameworks. Memory forensics is a particularly powerful tool for analyzing modern malware, which may exist only in memory and not touch non-volatile storage. Memory-only attacks leave no trace of the malware and its associated modules on the file system and all data that traverses the network is commonly encrypted. While initially focused on kernel level rootkits, memory analysis research efforts have recently shifted to detection of userland malware. This shift occurred as operating system vendors have strongly locked down the ability for kernel rootkits to load, and, in turn, malware authors have developed significant userland malware capabilities. In this paper, we present our effort to develop memory analysis capabilities that target a very powerful and widely abused set of userland runtimes: the .NET Framework and its replacement, .NET Core. To support automated and repeatable results, even for non-expert investigators, we developed a number of Volatility plugins that automatically target key areas of these runtimes and report any suspicious artifacts. Our suite of new plugins provides investigators with deep insight into the use of .NET on a target system as well as identification of suspicious and malicious components. These capabilities considerably advance a defenders' ability to combat, contain, and understand modern malware.
Article
Full-text available
In this paper we describe a method for recovering files mapped in memory and to link mapped-file information process data. This information is forensically interesting, because it helps determine the origin and usage of the file and because it reduces the amount of unidentified data in a memory dump. To find mapped-file content, we apply several different techniques. Together, these techniques can identify approximately 25% of test memory dumps as being part of a memory-mapped file. (c) 2008 Digital Forensic Research Workshop. Published by Elsevier Ltd. All rights reserved.
Article
Full-text available
a b s t r a c t This paper describes the use of the Virtual Address Descriptor (VAD) tree structure in Win-dows memory dumps to help guide forensic analysis of Windows memory. We describe how to locate and parse the structure, and show its value in breaking up physical memory into more manageable and semantically meaningful units than can be obtained by simply walking the page directory for the process. Several tools to display information about the VAD tree and dump the memory regions it describes will also be presented.
Article
Full-text available
This paper describes the structure of the Windows registry as it is stored in physical memory. We present tools and techniques that can be used to extract this data directly from memory dumps. We also provide guidelines to aid investigators and experimentally demonstrate the value of our techniques. Finally, we describe a compelling attack that modifies the cached version of the registry without altering the on-disk version. While this attack would be undetectable with conventional on-disk registry analysis techniques, we demonstrate that such malicious modifications are easily detectable by examining memory.
Article
We present the Forensic Analysis ToolKit (FATKit) – a modular, extensible framework that increases the practical applicability of volatile memory forensic analysis by freeing human analysts from the prohibitively-tedious aspects of low-level data extraction. FATKit allows analysts to focus on higher-level tasks by providing novel methods for automatically deriving digital object definitions from C source code, extracting those objects from memory images, and visualizing the underlying data in various ways. FATKit presently includes modules for general virtual address space reconstruction and visualization, as well as Linux- and Windows-specific kernel analysis.
Detecting objective-c malware through memory forensics
  • A Case
  • Iii Richard
Case, A., Richard III, G.G., 2016. Detecting objective-c malware through memory forensics. In: Proceedings of the 16th Annual Digital Forensics Research Workshop (DFRWS 2016).
Programming with objective-C
  • Apple
Apple, 2014. Programming with objective-C. https://developer.apple.com/library/ archive/documentation/Cocoa/Conceptual/ProgrammingWithObjectiveC/ Introduction/Introduction.html.
The vad tree: a process-eye view of physical memory
  • A Arasteh
A. Arasteh, The vad tree: a process-eye view of physical memory, in: Proceedings of the 2007 Digital Forensic Research Workshop, pp. 62e64..
Forensic memory analysis of android's dalvik vm
  • A Case
Case, A., 2011. Forensic memory analysis of android's dalvik vm. http://dfir.org/ research/android-memory-analysis.pdf.
Sofacy's 'Komplex' OS X trojan
  • D Creus
  • T Halfpop
  • R Falcone
Creus, D., Halfpop, T., Falcone, R., 2016. Sofacy's 'Komplex' OS X trojan. https:// unit42.paloaltonetworks.com/unit42-sofacys-komplex-os-x-trojan/.
Ventir trojan intercepts keystrokes from mac OS X computers
  • D Erwin
Erwin, D., 2014. Ventir trojan intercepts keystrokes from mac OS X computers. https://www.intego.com/mac-security-blog/ventir-trojan-interceptskeystrokes-from-mac-os-x-computers.
XAgentOSX: sofacy's XAgent macOS Tool
  • R Falcone
Falcone, R., 2017. XAgentOSX: sofacy's XAgent macOS Tool. https://unit42. paloaltonetworks.com/unit42-xagentosx-sofacys-xagent-macos-tool/.
The volatility framework: volatile memory artifact extraction utility framework
  • T V Foundation
Foundation, T.V., 2016. The volatility framework: volatile memory artifact extraction utility framework. https://github.com/volatilityfoundation/volatility.
Newly discovered Mac malware uses "fileless" technique to remain stealthy
  • G Garner
Garner, G., 2005. Knt tools. http://www.gmgsystemsinc/knttools. Gdabah, 2020. gdabah/distorm. https://github.com/gdabah/distorm. Goodin, D., 2019. Newly discovered Mac malware uses "fileless" technique to remain stealthy. https://arstechnica.com/information-technology/2019/12/ north-koreas-lazarus-hackers-up-their-game-with-fileless-mac-malware/.
iKittens: Iranian actor resurfaces with malware for mac (MacDownloader)
  • C Guarnieri
  • C Anderson
Guarnieri, C., Anderson, C., 2017. iKittens: Iranian actor resurfaces with malware for mac (MacDownloader).
German-made FinSpy spyware found in Egypt, and Mac and Linux versions revealed
  • A International
International, A., 2020. German-made FinSpy spyware found in Egypt, and Mac and Linux versions revealed. https://www.amnesty.org/en/latest/research/2020/09/ german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versionsrevealed/.
New MacOS X backdoor variant used in APT attack
  • Kaspersky
Kaspersky, 2012. New MacOS X backdoor variant used in APT attack. https:// securelist.com/new-macos-x-backdoor-variant-used-in-apt-attacks/33214.
The Ventir Trojan: assemble your MacOS spy
  • M Kuzin
Kuzin, M., 2014. The Ventir Trojan: assemble your MacOS spy. https://securelist. com/the-ventir-trojan-assemble-your-macos-spy/67267/.
Omfw 2012: malware in the windows gui subsystem
  • M Ligh
Ligh, M., 2012. Omfw 2012: malware in the windows gui subsystem. https:// volatility-labs.blogspot.com/2012/10/omfw-2012-malware-in-windows-gui. html.
Operation AppleJeus and OSX/lazarus: rise of a mac APT
  • J Long
Long, J., 2018a. Operation AppleJeus and OSX/lazarus: rise of a mac APT. https:// www.intego.com/mac-security-blog/operation-applejeus-and-osxlazarus-riseof-a-mac-apt.
Privacy Exodus: spam delivers Mac spyware
  • J Long
Long, J., 2018b. Privacy Exodus: spam delivers Mac spyware. https://www.intego. com/mac-security-blog/privacy-exodus-spam-delivers-mac-spyware.
Dalvikvm support for volatility
  • H Macht
Macht, H., 2012. Dalvikvm support for volatility. http://lists.volatilesystems.com/ pipermail/vol-dev/2012-October/000187.html.
New apple Mac Trojan called OSX/Crisis discovered
  • L Myers
Myers, L., 2016. New apple Mac Trojan called OSX/Crisis discovered. https://www. intego.com/mac-security-blog/new-apple-mac-trojan-called-osxcrisisdiscovered-by-intego-virus-team.
MacOS users targeted by OceanLotus backdoor
  • L O'donnell
O'Donnell, L., 2020. MacOS users targeted by OceanLotus backdoor. https:// threatpost.com/macos-users-targeted-oceanlotus-backdoor/161655.
Hackers are targeting MacOS users with this updated malware
  • D Palmer
Palmer, D., 2020. Hackers are targeting MacOS users with this updated malware. https://www.zdnet.com/article/hackers-are-targeting-macos-users-with-thisupdated-malware/.
Understanding objective-c and swift interoperability
  • D Ramirez
Ramirez, D., 2021. Understanding objective-c and swift interoperability. https:// rderik.com/blog/understanding-objective-c-and-swift-interoperability/.
Building a Class-Dump in 2020
  • D Selander
Selander, D., 2020. Building a Class-Dump in 2020. https://derekselander.github.io/ dsdump//#swift/_methods/_in/_a/_class.
Four distinct families of lazarus malware target Apple's macOS platform
  • P Stokes
Stokes, P., 2020a. Four distinct families of lazarus malware target Apple's macOS platform. https://www.sentinelone.com/blog/four-distinct-families-of-lazarusmalware-target-apples-macos-platform.
EvilQuest rolls ransomware, spyware & data theft into one
  • P Stokes
Stokes, P., 2020b. EvilQuest rolls ransomware, spyware & data theft into one. https://www.sentinelone.com/blog/evilquest-a-new-macos-malware-rollsransomware-spyware-and-data-theft-into-one.
Dissecting the APT28 Mac OS X payload
  • A Tiberius
  • B Botezatu
Tiberius, A., Botezatu, B., 2017. Dissecting the APT28 Mac OS X payload. http:// download.bitdefender.com/resources/files/News/CaseStudies/study/143/ Bitdefender-Whitepaper-APT-Mac-A4-en-EN-web.pdf.
More than half of all companies use mac -parallels survey
  • B Vogel
Vogel, B., 2020. More than half of all companies use mac -parallels survey. https:// www.parallels.com/blogs/mac-survey.
  • M Manna
  • A Case
  • A Ali-Gombe
M. Manna, A. Case, A. Ali-Gombe et al. Forensic Science International: Digital Investigation 38 (2021) 301221