Modern macOS userland runtime analysis. (September 2021)
- Record Type:
- Journal Article
- Title:
- Modern macOS userland runtime analysis. (September 2021)
- Main Title:
- Modern macOS userland runtime analysis
- Authors:
- Manna, Modhuparna
Case, Andrew
Ali-Gombe, Aisha
Richard, Golden G. - Abstract:
- Abstract: The continued rise of Apple's macOS in both the home and workplace has led to a significant rise in the capabilities of both malware and attacker toolkits that target the operating system and its users. Over the last several years there have been numerous documented instances of macOS users being targeted by governments, intelligence agencies, and criminal groups, and the end results of these attacks were the victims having highly sophisticated malware installed on their systems. Unfortunately, the rise of these threats has not been met with an equal research and development effort by the memory forensics community. This has led to a gap in automated analysis in memory forensic frameworks and has left inexperienced investigators with little chance of detecting the malware's presence. Even for experienced investigators, detection was still difficult in many circumstances and require significant manual investigation for a chance at success. This paper documents our research effort to close this gap through the development of novel memory forensic capabilities aimed at detecting advanced, real-world malware that targets macOS systems. This research was driven through analysis of numerous malware samples that were used as part of espionage and criminal attack campaigns, and the end result was three new Volatility plugins that automate the detection of such malware. By leveraging these plugins, investigators of all skill levels can detect macOS userland malware in anAbstract: The continued rise of Apple's macOS in both the home and workplace has led to a significant rise in the capabilities of both malware and attacker toolkits that target the operating system and its users. Over the last several years there have been numerous documented instances of macOS users being targeted by governments, intelligence agencies, and criminal groups, and the end results of these attacks were the victims having highly sophisticated malware installed on their systems. Unfortunately, the rise of these threats has not been met with an equal research and development effort by the memory forensics community. This has led to a gap in automated analysis in memory forensic frameworks and has left inexperienced investigators with little chance of detecting the malware's presence. Even for experienced investigators, detection was still difficult in many circumstances and require significant manual investigation for a chance at success. This paper documents our research effort to close this gap through the development of novel memory forensic capabilities aimed at detecting advanced, real-world malware that targets macOS systems. This research was driven through analysis of numerous malware samples that were used as part of espionage and criminal attack campaigns, and the end result was three new Volatility plugins that automate the detection of such malware. By leveraging these plugins, investigators of all skill levels can detect macOS userland malware in an automated, scalable, and flexible manner. Highlights: New plugins for Volatility to help identify Swift and Objective-C malware. Use of memory forensics to locate objects in Mac applications. Utilize Apple data structures to find memory allocation of objects in Mac apps. … (more)
- Is Part Of:
- Forensic science international. Volume 38(2021)Supplement
- Journal:
- Forensic science international
- Issue:
- Volume 38(2021)Supplement
- Issue Display:
- Volume 38, Issue 2021 (2021)
- Year:
- 2021
- Volume:
- 38
- Issue:
- 2021
- Issue Sort Value:
- 2021-0038-2021-0000
- Page Start:
- Page End:
- Publication Date:
- 2021-09
- Subjects:
- Memory forensics -- macOS forensics -- Memory analysis -- Malware -- Swift -- Objective c
- Journal URLs:
- http://www.sciencedirect.com/ ↗
- DOI:
- 10.1016/j.fsidi.2021.301221 ↗
- Languages:
- English
- ISSNs:
- 2666-2817
- Deposit Type:
- Legaldeposit
- View Content:
- Available online (eLD content is only available in our Reading Rooms) ↗
- Physical Locations:
- British Library DSC - BLDSS-3PM
British Library HMNTS - ELD Digital store - Ingest File:
- 19410.xml