Patrick Wardle is the Chief Security Researcher at Synack, and founder of Objective-See. Having worked at NASA and the NSA, and as well as presented at many security conferences, he is intimately familiar with aliens, spies, and talking nerdy. Currently, Patrick's focus is on automated vulnerability discovery, and the emerging threats of macOS and mobile malware. In his personal time, Patrick collects macOS malware and writes free security tools.
[Abstract]
==========
For better or worse, now is great time to be a Mac malware analyst! 2017 saw the emergence of new macOS threats such as Xagent, Proton, MacRansom, and FruitFly. In this talk, we'll begin by providing a brief overview of these threats, before diving into a full analysis of FruitFly.
FruitFly, the first Mac malware of 2017, is a rather intriguing specimen. Targeting mainly US victims in an attempt to spy on them, it is thought to have flown under the radar for many years and even now, is only detected by a handful of security products. In order to gain a comprehensive understanding of this insidious threat, instead of relying on traditional methods of analysis (such as debuggers and disassemblers), the talk will discuss the creation of a custom command and control server. Armed with this server, we'll show how we could coerce FruitFly to reveal its full capabilities....simply by asking the right questions!
Of course this approach hinges on the ability to closely observe the malware's actions. As such, we'll discuss macOS-specific tools that can monitor various events, and where necessary detail the creation of custom ones (e.g. a 'mouse sniffer' that locally observes and decodes commands sent from the malware to the OS, in order to control the mouse).