This presentation was delivered at VB2016 in Denver, CO, USA, by Peter Kalnai and Martin Jirkal (ESET).

In the last few months, two new OS X threats (dubbed OSX/KeRanger and OSX/Keydnap) were distributed as recompiled versions of the otherwise legitimate open source BitTorrent client application Transmission on the application’s official, and therefore trusted, website. Moreover, different legitimate code-signing keys were used to sign the malicious Transmission application bundles to be able to bypass Gatekeeper protection. The response from the Transmission team was instant in both cases and the malicious bundles were removed instantly from their web server, finally choosing GitHub as a file storage. We provide the technical details and the similarities between the two threats, and we investigate clues that might have led to these incidents.

The reaction from OS X users was very negative and full of anxiety about the possibility of being affected by the threat. To answer their questions, indicators of compromise should have been obtained by using live tools, followed by a careful analysis, and concluded with the manual creation of cleaning scripts. However, there existed also an alternative approach of capturing volatile physical memory data and applying it to the powerful Volatility Framework. Indeed, we performed malware executions in various test environments several times to eliminate randomness and unrelated manifestations, then we collected the outputs from relevant VF plug-ins, compared them with the outputs from the clean state before, we dumped unpacked memory blocks of malicious processes, we produced a final VF plug-in able to detect IoCs on memory dumps of compromised systems and we wrote a script that would clean any such system. Note that all these steps could actually work completely without our interaction. We sketch how this method might lead to automation of malware analysis for a platform like OS X.

https://www.virusbulletin.com/conference/vb2016/abstracts/last-minute-paper-malicious-os-x-cocktail-served-tainted-bottle