Even on the Apple of Your Eye

Remote Code Injections in Mac-OS

Apr 29, 2019

Code injection, a fairly well-known attack vector, enables hackers to hide their presence in a remote process and evade detection, potentially indefinitely.  The extent of the damage can vary significantly. At its most devastating, the injected code can direct any type of desired behavior by the malware author, from espionage and stealing data to triggering system break downs. Yet, perhaps the most alarming part is that when it comes to new techniques targeting Mac-OS, there are no known solutions available to proactively protect ourselves.

The objective behind code injection is to run malicious code through an unsuspected, and even better, a legitimate process on the system, which is likely to evade security solutions. When malicious code injection takes place, the malware inserts part of its corrupting code in the memory of the remote process, and when triggered executes the injected malicious code.

When it comes to Mac-OS, the concern of code injections pervading undetected is all the more real. Admittedly, consensus is correct, Apple operating systems are less susceptible to malware using code injection. The more susceptible target for this type of malware are Windows OS, which due to wide use, make it a veritable free for all. However, in research conduct By Alon Weinberg, Security Researcher at Deep Instinct’s Security Research Team, the possibility remains for your beloved Macintosh to come under attack by rarely known injection code execution techniques using remote process hooking. Not only that, but when this malware does strike, it’s likely to go undetected by whatever security solution you have in place.

Bypassing detection by several popular mac-OS security solutions, that were operating both statically and in run time, Weinberg tested new code injections methods and a custom-built reflective Mach-O loader. Unlike code injection or a hooking technique, using a loader, an attacker can load Mach-O files from memory, and not from a disk, thereby more effectively bypass security systems.

Weinberg concluded that malwares using these methods as a new attack vector, could perform a wide variety of tasks. The malware simply relies on access to another process that can then be acted upon maliciously. The saving grace (yes, fortunately there is one) is that these methods are new to the community, and the possibility that they are in use in the wild is low.

While there is next to nothing that can be done by mac users, being forewarned is still forearmed. Security solution providers should familiarize themselves with both known code injection techniques and those hardly documented techniques to hook functions on a remote process to achieve code execution. These include hooking the lazy/ non- lazy table, the dummy hook and the OCHook. As each of these distinct techniques can be protected against and applied to a user’s Apple device.

Read the research paper to learn more about new hooking based remote code execution in Mac-OS.