Threat Hunting with Osquery: 5 macOS Malware Techniques & How to Find Them

This previous blog post explored ways to use osquery for macOS malware analysis. Using the same methodology introduced there, we analyzed five additional macOS malware variants and recorded their behavior to understand the techniques they used. Below, you’ll find the techniques used by Calisto, Dummy, HiddenLotus, LamePyre and WireLurker. Read on to explore how to translate the techniques used by these malware into queries you can run to hunt for the active presence or historical artifacts using osquery.




(Process Tree)

  • Creates hidden directory using ‘mkdir
  • Archives keychains using ‘zip
  • Updates TCC.db using ‘sqlite3
  • Adds property list file in LaunchAgents using ‘cp


(Process Tree)

  • Changes file permissions using ‘chown’ and ‘chmod
  • Enumerates running processes using ‘ps
  • Adds property list file in LaunchDaemons using ‘mv
  • Uses ‘launchctl’ to load property list file
  • Launches python and connects to the internet


(Process Tree)

  • Uses ‘osascript’
  • Uses ‘touch’ to create property list file in LaunchDaemons
  • Uses ‘launchctl’ to load property list file
  • Drops pdf file in the ‘tmp’ directory
  • Uses ‘open’ to open the pdf file from the tmp directory
  • Uses ‘sw_vers’ to identify the operating system version
  • Uses ‘uname’ to get the processor architecture


(Process Tree)

  • Decodes base64 data using ‘base64
  • Launches python
  • Creates hidden directory using ‘ (Read more...)

*** This is a Security Bloggers Network syndicated blog from Uptycs Blog authored by Amit Malik. Read the original post at: