DEFCON: Offensive Malware Analysis: Dissecting OSX FruitFly

Making a custom command and control (C&C) server for another person’s malware has a heap of advantages. If you can take over it a domain, you then may able to fully hijack other hackers’ infected hosts. A more common advantage is speeding up investigation. While programmers and governments might be more inspired by the previous, malware experts can profit by the later.

FruitFly, the main OS X/macOS malware of 2017, is a somewhat interesting example. Specifically focusing on biomedical research foundations, it is thought to have flown under the radar for a long time. In this discussion, we’ll concentrate on the ‘B’ variation of FruitFly that even now, is just recognized by a modest bunch of security items.

This DEFCON talk start by breaking down the malware’s dropper, obfuscated perl script. As this dialect is somewhat antiquated and remarkable in malware droppers, we’ll talk about some investigating methods and completely deconstruct the script.

While this dropper part additionally speaks with the C&C server and backings some essential orders, it drops a twofold payload keeping in mind the end goal to perform more perplexing activities. Be that as it may, rather than completely switching this bit of the malware, the discussion will concentrate on an underlying triage and show how this was adequate for the production of a custom C&C server. With such a server, we can without much of a stretch pressure the malware to uncover it’s full capacities. For instance, the malware summons a modest bunch of low-level mouse and illustrations APIs, going in an assortment of dynamic parameters. Rather than investing hours turning around and investigating this mind boggling code, through the C&C server, we can just send it different orders and watch the impacts.

Obviously this approach relies on the capacity to nearly watch the malware’s activities. In that capacity, Patrick will examine macOS-particular devices that can screen different occasions, and where essential detail the formation of custom ones (e.g. a ‘mouse sniffer’ that locally watches and unravels summons sent from the malware to the OS, keeping in mind the end goal to control the mouse).

While some of this discussion is FruitFly and additionally macOS particular, adroitly it ought to extensively apply to dissecting other malware, even on other operating frameworks.

Ehacking Staff
With more than 50 global partners, we are proud to count the world’s leading cybersecurity training provider. EH Academy is the brainchild of Ehacking, which has been involved in the field of training since the past Five years and continues to help in creating professional IT experts.

Most Popular

What Makes ICS/OT Infrastructure Vulnerable?

Infrastructure security for operational technologies (OT) and industrial control systems (ICS) varies from IT security in several ways, with the inverse confidentiality, integrity, and...

Everything You Must Know About IT/OT Convergence

What is an Operational Technology (OT)? Operational technology (OT) is a technology that primarily monitors and controls physical operations. It can automate and control machines,...

Understand the OT Security and Its Importance

This article discusses OT security and why it is essential for protecting industrial systems from cyberattacks. We will also discuss common control objectives that can...

What is Deepfake, and how does it Affect Cybersecurity?

Producing deepfake is easy. It is hard to detect. They operate with a description of reality rather than reality itself (e.g., a video). Any...