OBTS v2.0 Talk

Hypervisor-Based Analysis of macOS Malware

With macOS malware on the rise, businesses need an effective way to analyze large amounts of potentially malicious files and detect even previously unknown threats. Malware sandboxes which record and analyze the behavior of an executable in an isolated environment are one such tool.

VMRay has developed the first hypervisor-based macOS malware sandbox which is able to trace the behavior of a target process from high-level Objective-C calls down to the syscall level without kernel extensions, hooking or any kind of modification of the guest OS. Our hypervisor-based approach ensures evasion resistance while profiting from the performance of hardware-assisted virtualization.

In this technical talk, VMRay Technical Lead, Felix Seele will begin by introducing the concepts of Two-Dimensional Paging, Intermodular Transition Monitoring and Virtual Machine Introspection (VMI) which are the foundation of our work. Next, we will dive into the nitty-gritty details of the macOS kernel and userspace architecture and demonstrate how we use VMI to reconstruct relevant aspects of the guest VM. We show different methods of inter-process communication can be used by malware to evade dynamic analysis systems and how we can thwart these evasion attempts. Finally, we demonstrate our results using real-world malware samples.

Related Reading: Stepping into the Breach: Improving Security Researchers’ Ability to Dynamically Analyze macOS Malware at Scale