Written by Ashley Zaya and Henry Peltokangas
No matter where I’ve worked, the default hardware for threat analysts has always been a Mac. The reason why researchers have preferred a Mac over a Windows system has always been the perception that they are more secure against malware and other threats while researching them. I think most of the security industry recognized this to be a false sentiment, but it the belief has persisted as it’s difficult to disprove. This is due to the fact that, historically, cyber-attacks have disproportionally targeted Windows systems solely due to Windows having much higher market share, and therefore larger attack surface.
However, one of Verodin’s core missions is to dispel assumptions about cybersecurity and to provide evidence on its effectiveness. So, rather than buying into the myth, the Verodin Behavior Research Team (BRT) has focused on researching Mac and reconstructing attacks to measure the state of macOS security.
A quick open-source search shows that the threats do indeed exist, and adversaries are regularly targeting Mac users. In fact, statistics show that macOS targeted attacks have been steadily growing over the past few years.   So why does this perception exist that Macs are immune to malware and other threats? Could it be the fact that most of our attention has been on Windows and threats dependent to Windows operating system? Personally, I believe that this does play a larger role in the misconception. When we tried to find existing research regarding macOS security we found very little to go off of.
Apple provides a variety of out of the box security features to help users protect against various threats, some of which are newer features released recently with macOS 10.14 (Mojave). In the light of recent reports, and the security features introduced with Mojave, it’s good to have a closer look into the security of your macOS.
Bypassing Native macOS Security Features for Malicious File Transfer
Let’s start with security features. Apple uses a File Quarantine method for protecting users against malicious files downloaded from the Internet. Three key components make up the File Quarantining process: Gatekeeper, XProtect, and MRT (Malware Removal Tool). Gatekeeper, as the name may suggest, acts as the first line of defense against malicious files downloaded from the Internet. Its role is to enforce code signing and verify that files have not been tampered with prior to execution. In newer macOS operating systems, Gatekeeper gives users the option to allow apps downloaded from the App Store or both the App Store and identified developers. If the source is neither notarized or from the App Store, Gatekeeper will block the execution and prompt the end user. Any files flagged by Gatekeeper are then checked against XProtect’s definition list as well as a list of Yara rules to determine if the file is malicious. If malware is found, MRT steps in to remove the file. Apple updates and maintains both Xprotect’s definition list and Yara rules. At the time this blog post was written, roughly 95 different signatures are included in each set.
As a macOS user, you may think that only downloading from trusted sources like the App Store or identified developers reduces your chances of downloaded malware. While true, the process for becoming an identified developer is relatively simple. For the price of $99 a year, anyone can enroll in the Apple Developer Program with an Apple ID. In 2017, authors of OSX/Dox took advantage of the process to successfully spread malware through phishing campaigns.
Additionally, Gatekeeper only monitors files downloaded from the Internet through an Internet browser, which leads me to the second downfall of Gatekeeper. Gatekeeper's limited scope still leaves us with a variety of other methods for downloading files onto the device. Take a look at the example below, where I've downloaded the same file using an Internet browser and wget. Both files, downloaded from the same source, were treated differently Gatekeeper. By using the wget, or another command line tool to download the file, we bypass Gatekeeper entirely. If we try to execute the file downloaded through the browser, we receive the prompt seen in Figure 3. While this is a simplified example, there will always continue to be new, more advanced techniques for navigating around Apple’s defenses.
Before we move on, I want to circle back to XProtect. XProtect's signatures are based on matching indicators of compromise (IoC). For MRT to take any action on a malicious file, XProtect must return a successful match against its signatures. For XProtect to return a match, the file must be written to disk. Do you see where I'm going with this? Relying on XProtect and MRT as our method of detection forces us to be reactive to these threats. More importantly, if we use an indicator such as a hash, as seen in Figure 1, all it would take for an attacker to bypass XProtect’s scans is some simple defense evasion techniques such as software packing or binary padding to alter the file and change the hash. If we shift our focus away from indicators and focus on malicious behaviors, we can start proactively detecting and blocking this activity long before the malware reaches the system.
Executing Malicious Code on macOS with AppleScript
As for execution techniques, we focused on the use of AppleScripts, a scripting language created by Apple for automation on Mac devices. Although typically used to automate repetitive or administrative jobs, adversaries take advantage of these scripts, just like other scripting languages, to perform a variety of tasks across most of the ATT&CK Tactics. Luckily for Mac users, Apple has restricted the use of application inter-communication via Apple Events in Mojave, which blocks most cases of exploitation. However, being that this is a new feature, operating systems prior to 10.14 are still susceptible to code execution via AppleScripts. Take a look at the example below. The Figure 4 shows an Action running on a macOS Actor on High Sierra. The application, once executed, runs an AppleScript to collect and save Safari's bookmarks to the /tmp directory. When the same Action runs on a macOS Actor on Mojave, we receive an error ‘1743’ (Figure 5) and the script is blocked from running.
Not an Impenetrable Fortress
Apple has made great strides to protect its users and their data in macOS 10.4. Mojave includes a handful of new features to secure some of the most important data on your computer. With Full Disk Access, data stored by Apple’s built-in Apps, such as Mail or Messages, is off limits to other applications unless given prior approval. Mojave also offers better password management and a stronger password generator and has made users more aware when applications try to use the microphone or camera. As Apple’s security features continue to evolve and expand though, our adversaries will continue to develop new techniques to circumvent these controls. For example, just this week, a security researcher released a macOS 0-Day flaw that allows attackers to bypass the method for validating the integrity of whitelisted apps.
To help validate your macOS security, the Verodin BRT has released an Evaluation that includes all the techniques mentioned above, as well as, many others that expand across the Initial Access, Collection, Defense Evasion, Execution MITRE ATT&CK Tactics. Using this Evaluation, as well as the other Actions included in the Content Pack, users can better understand the shortcomings of Apple’s built in defenses and what areas lack the necessary layered defenses. By running these Actions within your environment, you can gain a clearer picture of what activity is allowed, whether events are generated for the activity, and if alerting is necessary for future investigation. Use this information to guide decision making for determining what areas lack the visibility needed to detect this activity and what controls are necessary to keep your critical assets secure.
Don’t wait to find out if you are vulnerable. Be proactive and test with Verodin.