Attack Chain

1. The attacker crafts a malicious dynamic library.
2. The attacker identifies a SIP-entitled process on macOS.
3. The attacker leverages a sandboxing vulnerability or misconfiguration to influence the target process.
4. The system is tricked into loading the malicious library into the SIP-entitled process.
5. The malicious library executes within the context of the SIP-entitled process.
6. The attacker gains elevated privileges and bypasses SIP restrictions.
7. The attacker performs malicious actions, such as data exfiltration or system compromise.

Impact

A successful exploit of this vulnerability allows an attacker to bypass System Integrity Protection, a critical security feature in macOS. This can lead to complete system compromise, as the attacker can execute arbitrary code with elevated privileges. Although specific victim counts and targeted sectors are unavailable, the vulnerability poses a significant threat to any macOS system where SIP is relied upon for security.

Recommendation

• Monitor for unexpected library loads into SIP-entitled processes using process creation and image load logs.
• Investigate any unexplained modifications to sandboxing configurations or profiles.
• Deploy the Sigma rule to detect the loading of unsigned libraries into protected processes.
• Enable and review system integrity events to identify unauthorized modifications to system files.

Attack Chain

1. Initial Infection (MacDownloader): A phishing email directs the user to a fake Adobe Flash Player download site.
2. Execution: The user downloads and executes the fake Flash Player installer (addone flashplayer.app). Gatekeeper may block execution unless disabled or explicitly allowed.
3. Persistence (FruitFly): The malware creates a launch agent (plist file) in the ~/Library/LaunchAgents/ directory (e.g., com.client.client.plist for FruitFly variant ‘A’).
4. Persistence (MacDownloader): Attempts to modify /etc/rc.common to execute /etc/.checkdev on startup, but this functionality may be incomplete.
5. Data Collection (MacDownloader): The malware harvests information on the infected system, including active Keychains, running processes, installed applications, and potentially usernames and passwords via fake System Preferences dialog.
6. Command and Control (FruitFly): The malware connects to a command and control (C2) server.
7. Data Exfiltration (MacDownloader): Stolen data, including keychain contents and system information, are exfiltrated to the C2 server.
8. Remote Access (FruitFly): The attacker gains remote access to the file system, can execute system commands, and access the webcam. They can also generate screen captures and simulate mouse/keyboard events.

Impact

The malware detailed in this report can lead to significant compromise of macOS systems. FruitFly allows attackers to spy on users via their webcams, access files, and control the system remotely. MacDownloader (iKitten) targets sensitive data, including keychain credentials, potentially enabling attackers to access protected accounts and services. Successful infections can result in data theft, espionage, and loss of control over the compromised system. Although specific victim counts are not provided, the malware targeted a wide range of users and organizations.

Recommendation

• Monitor for the creation of launch agents in the ~/Library/LaunchAgents/ directory, especially those with suspicious names and associated executables, to detect persistence mechanisms used by malware like FruitFly. Deploy a tool like KnockKnock to aid in detection (Attack Chain - Step 3).
• Implement detections for attempts to modify the /etc/rc.common file, which MacDownloader attempts to use for persistence, although the functionality may be incomplete (Attack Chain - Step 4).
• Deploy the Sigma rule to detect execution of unsigned applications, which is a common characteristic of malware like MacDownloader that relies on tricking users into bypassing Gatekeeper (Attack Chain - Step 2).
• Enable network monitoring to identify connections to command and control servers used by malware such as FruitFly (Attack Chain - Step 6).
• Monitor process execution for connections to external IP addresses (Attack Chain - Step 6).
• Educate users about the risks of phishing emails and the importance of verifying the authenticity of software downloads to prevent initial infection from malware like MacDownloader (Attack Chain - Step 1).

Attack Chain

1. The attacker identifies a vulnerable application using tools like Dylib Hijack Scanner (DHS), looking for apps with weak or rpath-dependent dylib loading.
2. The attacker confirms the absence of library-validation option (flag=0x200) using codesign to verify if dylib hijacking is possible.
3. The attacker crafts a malicious dylib (e.g., hello-tresorit.dylib) containing code to be executed upon loading, such as opening a Terminal or creating a syslog entry.
4. The attacker uses gcc to compile the dylib. The attacker uses a tool like createHijacker.py to fix the dylib version and add exports from the original dylib to the malicious dylib.
5. The attacker exploits a vulnerability to bypass root folder permissions to copy the malicious dylib to the application’s framework directory (e.g., /Applications/Tresorit.app/Contents/MacOS/TresoritExtension.app/Contents/PlugIns/FinderExtension.appex/Contents/MacOS/../../../../Frameworks/UtilsMac.framework/Versions/A/UtilsMac).
6. The attacker launches the targeted application, causing the malicious dylib to be loaded into the application process.
7. The malicious code within the dylib executes with the privileges of the application, potentially escalating privileges to root.
8. The attacker achieves persistence or performs other malicious actions based on the gained privileges.

Impact

Successful exploitation of this vulnerability can lead to complete system compromise. An attacker gaining root access can install persistent backdoors, steal sensitive data, or deploy ransomware. The number of potential victims is large, as many macOS applications from the App Store are vulnerable. The affected sectors span various industries, as the vulnerability affects a wide range of applications. The consequences of a successful attack range from data breaches and financial loss to complete system control by the attacker.

Recommendation

• Use a tool like Dylib Hijack Scanner to identify vulnerable applications in your environment and prioritize patching or removal.
• Monitor for the creation of new dylibs within application framework directories, which may indicate a dylib hijacking attempt, using a file integrity monitoring system.
• Deploy the Sigma rule Detecting Dylib Hijacking via DYLD_PRINT_RPATHS to detect attempts to identify vulnerable dylibs.
• Enable library validation for applications to prevent the loading of unsigned or improperly signed dylibs.
• Use process monitoring tools like Objective-See’s ProcInfo to detect suspicious process creation events that may be indicative of exploitation.

The communication involves a kext utilizing kev_msg_post to send data to a user-mode application through a system socket. Objective-See’s BlockBlock tool uses this technique to correlate persistent file I/O events with the responsible process. Abuse of kev_msg_post can allow malicious kexts to exfiltrate sensitive kernel-level information or trigger actions in user-mode without detection by conventional monitoring tools. This technique is relevant to defenders because it provides a stealthy mechanism for malware to operate within macOS, potentially leading to undetected data theft, privilege escalation, or system compromise.

Attack Chain

1. A malicious kext is loaded into the macOS kernel, often requiring elevated privileges or exploiting a vulnerability.
2. The kext uses the kev_vendor_code_find function to obtain a vendor ID associated with the kext (e.g., “com.objective-see”).
3. The kext registers for process execution events using kauth or MAC policies.
4. When a new process is created, the kext’s callback function is triggered.
5. The kext populates a kev_msg structure with process information, including the process ID (PID), user ID (UID), parent process ID (PPID), and path to the executable.
6. The kext calls the undocumented kev_msg_post function to broadcast the process information to a system socket.
7. A user-mode application with a socket connected to the same vendor ID receives the broadcasted message, extracting the process information.
8. The attacker can use the process information for malicious purposes, such as injecting code into the new process, monitoring its activity, or terminating it.

Impact

Successful exploitation could allow attackers to monitor and manipulate processes on a compromised macOS system without detection by standard userland monitoring tools. This could lead to data exfiltration, privilege escalation, or other malicious activities. Due to the nature of the kernel, even a single successful compromise can lead to complete system compromise.

Recommendation

• Monitor for the loading of unsigned or untrusted kernel extensions using system integrity monitoring tools that track kext loading events.
• Implement detections for user-mode applications creating system sockets with the SYSPROTO_EVENT protocol, as described in the “Receiving the Data in User-Mode” section. This can be done using an endpoint detection and response (EDR) solution or auditd.
• Develop YARA rules to scan kernel memory for the presence of kexts using the undocumented kev_msg_post function to detect malicious kexts attempting to communicate outside kernel space.
• Audit the use of ioctl calls with SIOCGKEVVENDOR and SIOCSKEVFILT to detect user-mode applications attempting to filter for specific kernel events, using the code samples from the “Receiving the Data in User-Mode” section as reference.

Attack Chain

1. Attacker gains initial access to the system (e.g., through exploitation or social engineering).
2. Attacker executes a malicious binary or script.
3. The malicious process creates or modifies a file on the system.
4. The Endpoint Security Framework captures the file I/O event.
5. The file monitor, leveraging the Endpoint Security Framework, receives a notification about the event.
6. The file monitor extracts information about the event, including the process ID, path, code-signing information, and the type of file event (e.g., create, write).
7. Based on the extracted information, the file monitor determines if the event is malicious (e.g., rapid creation of encrypted files, persistence attempt).
8. The file monitor alerts the user or security system about the malicious activity.

Impact

A successful attack can lead to various detrimental outcomes, including data encryption by ransomware, persistent malware installation, and unauthorized access to sensitive information. File monitors, such as the one described, aim to detect and prevent such attacks. Without proper file monitoring, malicious activities can go unnoticed, leading to significant data loss, system compromise, and financial damage. The Endpoint Security Framework intends to address the limitations of previous monitoring solutions.

Recommendation

• Enable Endpoint Security Framework event collection to monitor file creation events using the ES_EVENT_TYPE_NOTIFY_CREATE event type described in the overview.
• Deploy the Sigma rule for detecting file creation by unsigned processes to identify potentially malicious activity (see Sigma rule below).
• Monitor for processes with missing or invalid code-signing information, as these may be indicators of malicious activity, using the Endpoint Security Framework’s process information detailed in the overview.