Harnessing Weapons of Mac Destruction

Conference:  Defcon 27



The presentation discusses the benefits of repurposing malware for offensive cyber operations and the importance of behavior-based detection rules in detecting repurposed malware.
  • Repurposing malware created by well-funded and motivated hackers and agencies can save time and resources for offensive cyber operations.
  • Repurposed malware can be misattributed to the original authors, providing a layer of protection for the repurposing group.
  • Behavior-based detection rules are important in detecting repurposed malware, as it allows for the detection of both the original and repurposed versions.
  • Objective-C has developed free open-source Mac security products that implement behavior-based detections.
  • An all-in-one tool that implements behavior detections can generically detect even repurposed Mac malware.
  • Examples of behavior-based detection rules for detecting repurposed malware include monitoring for unusual logic and runtime behaviors.
  • Behavior-based detection rules are more effective than signature-based detection approaches.
The speaker mentions that repurposing malware is a good idea for lazy hackers who would rather be sleeping or surfing than writing their own malware. The speaker also notes that the benefit of using repurposed malware is that it allows for the deployment of malware in risky environments without risking detection by other adversaries.


Whenever a new Mac malware specimen is uncovered, it provides a unique insight into the offensive Mac capabilities of hackers or nation-state adversaries. Better yet, such discoveries provide fully-functional capabilities that may be weaponized for our own surreptitious purposes! I mean, life is short, why write your own? We'll begin this talk by discussing the methodology of subverting existing malware for "personal use", highlighting both the challenges and benefits of such an approach. Next, we'll walk-thru the weaponization of various Mac malware specimens, including an interactive backdoor, a file-exfiltration implant, ransomware, and yes, even adware. Customizations include various runtime binary modifications that will coerce such malware to accept tasking from our own C&C servers, and/or automatically perform actions on our behalf. Of course, in their pristine state, such samples are currently detected by AV products. As such we'll also walk-thru subtle modifications that will ensure our modified tools remains undetected by traditional detection approaches. In conclusion, we'll highlight novel heuristic methods that can generically detect such threats to ensure Mac users remain protected even from such weaponized threats.



Post a comment

Related work

Conference:  Defcon 31
Authors: Tomer Bar VP of security research @ SafeBreach, Omer Attias Security Researcher @ SafeBreach

Conference:  BlackHat USA 2020

Conference:  Defcon 31
Authors: Patrick Wardle Objective-See Foundation