Office Drama on macOS

The presentation discusses the use of Apple's new endpoint security framework to detect and prevent attacks on Mac systems. The speaker also announces the release of a new book on Mac malware analysis.

• The speaker thanks the audience and announces a new book on Mac malware analysis
• The presentation discusses the use of Apple's new endpoint security framework to detect and prevent attacks on Mac systems
• The speaker explains how they came up with ideas for their research and how they leveraged existing exploits to create a sandbox escape
• The presentation highlights the challenges of bypassing file quarantines and notarization requirements in newer versions of Mac OS
• The speaker discusses the trend of increasing cyber attacks on Mac systems in the enterprise, possibly due to the rise of remote work

The speaker explains how they were able to bypass the sandbox in Microsoft Office by creating a login item that executes outside the context of the sandbox. However, they ran into issues with file quarantines and notarization requirements in newer versions of Mac OS, which prevented them from persisting a backdoor. They also discuss the potential for creating a launch agent to bypass these security measures, but note that Microsoft's patch for a previous bug explicitly blocks the creation of launch agents.

In the world of Windows, macro-based Office attacks are well understood (and frankly are rather old news). However on macOS though such attacks are growing in popularity and are quite en vogue, they have received far less attention from the research and security community.In this talk, we will begin by analyzing recent macro-laden documents targeting Apple's desktop OS, highlighting the macOS-specific exploit code and payloads. Though sophisticated APT groups are behind several of these attacks, these malicious documents and their payloads remain severely constrained by recent application and OS-level security mechanisms.However, things could be far worse! Here, we'll detail the creation of a powerful exploit chain that began with CVE-2019-1457, leveraged a new sandbox escape and ended with a full bypass of Apple's stringent notarization requirements. Triggered by simply opening a malicious (macro-laced) Office document, no alerts, prompts, nor other user interactions were required in order to persistently infect even a fully-patched macOS Catalina system!To conclude, we'll explore Apple's new Endpoint Security Framework illustrating how it can beleveraged to thwart each stage of our exploit chain, as well as generically detect advanced "document-delivered" payloads and even persistent nation-state malware!