MacOS Malware Analysis for Reverse Engineers

Most malware analysts and incident responders aren't able to dissect macOS malware. And with the usage of Apple Macintosh computers growing across the enterprise they need to be prepared to deal with current and future threats. With that corporate increase comes an increase in attacks. Will you be prepared to analyze malware and threats targeted for macOS when they come your way?

This Crash Course rapidly introduces the tools and methodologies necessary to get you analyzing malware that targets the macOS platform. We use a practical, hands-on approach to quickly adapt your current malware analysis skills for macOS.
During the course, you will learn everything you need to know about macOS for success with analyzing malware. You will become skilled with macOS specific static and dynamic analysis tools and techniques to quickly tease out host and network-based indictors. After learning the basics, students will learn how to analyze compiled Objective-C code and Cocoa applications using Hopper Disassembler and IDA Pro. Students will learn how to use the lldb debugger to aid in dynamic analysis. This course is filled with demonstrations and hands-on labs with real malware where the students immediately practice what they have been taught.

Modules Included:

• Introduction to macOS – learn macOS internals relevant to malware analysis.
• Basic Static Analysis – tools and methodologies used to perform basic analysis and extract host and network-based indicators from malware without running it.
• Basic Dynamic Analysis – tools and methodologies used to analyze malware behavior by executing it in a safe environment.
• Advanced Static Analysis – learn disassembly analysis techniques specific to Objective-C executables and Cocoa applications.
• Advanced Dynamic Analysis – learn malware debugging in the macOS environment and how it can be used to monitor and change its behavior at run time.

Malware analysts, incident responders, Intel analysts, information security staff, forensic investigators, or others requiring an understanding of how macOS specific malware works and the steps and processes involved in performing malware analysis of macOS specific threats.

Training or experience in malware analysis, familiarity with object-oriented programming, the x86 architecture, IDA Pro, and Unix-like operating systems is required. This class is built assuming the student is comfortable with these topics, which are used heavily throughout the course; it does not teach things like object-oriented programming basics, the x86 architecture and reverse engineering basics, the Unix shell, IDA Pro, or basic malware topics.

Students must bring their own MacBook with VMware Fusion 8.5+ installed. Laptops should have at least 30GB of free space.

The class provides the trial version of Hopper Disassembler. But, if the student prefers to use IDA Pro, a currently licensed copy of a IDA Pro 6.9+ that supports the x86_64 architecture is required. It can be for any OS, as long as it is accessible on the MacBook.