By Micah Graf, Security Researcher at CounterTack
As Mac computers have increased in popularity, so has the Mac operating system which comes preloaded on all new Mac computers. With this increase in popularity, comes an increase in malware targeting the Mac OS. Prior to this increase, malware for Macs was unheard of not because it wasn’t possible but because they were such a small minority of users it didn’t make sense to create malware targeting them. Generally, the malware authors goal is to target the largest number of users possible, to make as much money as possible. This meant targeting Windows PCs since they were in the vast majority worldwide (and still are). However, as Mac popularity increased, and other forms of threats appeared (APTs, nation-state attacks, etc.), it suddenly made sense to target Mac users. Forms of malware targeting Macs started appearing in the wild and becoming more and more prevalent in the news.
Starting from the lowest level and making our way up, the first level of persistence occurs prior to OS being run. These methods are typically hardware specific and require re-flashing the firmware or installing malicious EFI components. These techniques, referred to as rootkits, are highly complex and thus not common amongst malware variants. We won’t go into detail on these forms of attacks, since they are operating outside of the Mac operating system itself.
The next form of persistence on a Mac, is the use of kernel extensions (kext for short). Kexts run in the kernel, which means it runs at the highest privilege level (which is also very desirable to malware, this allows it to run unimpeded by various privilege requirements). To make a “.kext” file persistent they are added to the “/System/Library/Extensions” or “/Library/Extensions” directories. Kernel extensions beginning with OS X Mavericks are required to be signed, however there are methods to bypass this requirement. Kexts are less complicated than rootkits but still more complicated than other persistence methods available on Mac OS.
One of the most commonly used methods for persistence on Mac endpoints, is the use of launch daemons or launch agents. This is an approved method by Apple for applications to persist but is often subject to malware abuse. Launch daemons are non-interactive and run before the user logs in. Launch agents on the other hand, can be interactive and run after the user has logged in. Making one’s malware persistent using these methods is as simple as placing a binary on the endpoint, and then adding a property list (also known as a “.plist”) file to these directories (“/Users/User/Library/LaunchAgents”,”/Library/LaunchAgents”, and “/Library/LaunchDaemons”). Plist files are simple xml files, that contain configuration information and can be thought of as a reference to the actual binary that is being executed.
Since Mac OS is based on Unix, Mac also offers cron jobs which can be used to execute commands or a script at certain time intervals. First the commands to be run are saved to a file, then the “crontab” command is used to register the file as a cron job. Once registered, the commands will be run at specific time intervals, which allows the attacker to maintain persistence across reboots.
Although deprecated, Mac still offers login and logout hooks. This again allows a script or set of commands to be run whenever a user logs in or logs out. Similar to the cron job method, the “defaults” command can be used to add the file containing the commands to be executed or script file to the “com.apple.loginwindow.plist” file (located in “Users/User/Library/Preferences” directory) which contains the login hooks and logout hooks.
For applications, another form of persistence is the use of Login Items. This is another Mac approved way of gaining persistence for legitimate applications. Login items are listed in the “com.apple.loginitems.plist” file which is stored in the “Users/User/Library/Preferences” directory. One downside to using login items, is that they are shown in the GUI in System Preferences, which means its more visible to the end user if they look there.
One last form of persistence are sandboxed login items, which is similar to the deprecated login items mentioned above. Traditional login items are not allowed for traditional applications downloaded from the Mac App store, so in order to offer compatibility to these applications sandboxed login items were added. To use this method, two applications are required: the main application and a helper application (which is the application that persists). The helper application would be placed into the LoginItems sub-directory of the main application. The main application would also have to invoke the “SMLoginItemSetEnabled()” function in order to make the helper application persistent. Once invoked, the helper application will be automatically executed whenever the user logs in.
While there are many forms of persistence for Mac OS not covered here, familiarizing oneself with these methods and using your tools to watch for these methods is a great starting point for catching malware within your environment. New forms of persistence are always being discovered and are becoming more and more complex, as old forms of persistence become highly regulated and inaccessible to malware authors, or deprecated and removed from the Operating System.