Results for Kai Lu

Threat Research

Monitoring macOS, Part I: Monitoring Process Execution via MACF

Over the years, the FortiGuard Labs team has learned that it is very common for macOS malware to launch a new process to execute its malicious activity. So in order to more efficiently and automatically analyze the malicious behaviors of malware targeting macOS, it is necessary to develop a utility to monitor process execution. The MACF on macOS is a good choice to implement this utility. The Mandatory Access Control Framework - commonly referred to as MACF - is the substrate on top of which all of Apple’s securities, both macOS and iOS, are implemented. In this blog, I will detail the implementation of monitoring process execution, including command line arguments, via MACF.

By Kai LuMarch 30, 2018

Threat Research

Monitoring macOS, Part II: Monitoring File System Events and Dylib Loading via MACF

In the previous blog from FortiGuard Labs in this series, we discussed how to monitor process execution with command line arguments using MACF on macOS. In this blog, we will continue to discuss how to monitor file system events (including file open, read, write, rename, and delete operations) and dynamic library loading via MACF on macOS. I will provide all the technical details below. Let’s get started!

By Kai LuMarch 30, 2018

Threat Research

Monitoring macOS, Part III: Monitoring Network Activities Using Socket Filters

In the two previous blogs in this series from FortigGuard Labs, we discussed how to monitor process execution with command line arguments, file system events, and dylib loading events using MACF on macOS. In this blog, we will continue to discuss how to monitor network activities (another significant behavior for malware) using Socket Filters (a part of the Network Kernel Extension) on macOS. The network activities to be monitored include UDP, TCP, ICMP, DNS query, and response data. I provide all the technical details below, so let’s get started again!

By Kai LuMarch 30, 2018

Threat Research

Rewriting IDAPython Script objc2_xrefs_helper.py for Hopper

Security researchers have identified more and more Mac OS malware attacks over the past two years. In June 2017, Rommel Joven and Wayne Chin Yick Low from Fortinet’s Fortiguard Labs found and analyzed a new ransomware targeted at Mac OS.  Most malware for Mac OS was developed in the Objective-C programming language. A good introduction to reverse engineering Cocoa applications can be found here. In that blog post, the researcher released an IDAPython script named objc2_xrefs_helper.py  that can only be executed in IDA Pro. As you...

By Kai LuSeptember 19, 2017

Threat Research

A Wrap Up of ToorCon 19 at San Diego

ToorCon 19 San Diego was held Monday August 28th to Sunday September 3rd, 2017 at The Westin San Diego. It included three parts. The first was training workshops focused on various aspects of computer security. These took place on Aug 28-31. The second was a Seminar held on Sep 1. The third part was the formal Conference that ran from Sep 1-3. I was honored to be able to present my research, Dig Deep into FlexiSpy for Android at ToorCon 19. FlexiSpy for Android is a spy app with full IM tracking, VoIP call recording, and live call interception....

By Kai LuSeptember 18, 2017

Threat Research

Unmasking Android Malware: A Deep Dive into a New Rootnik Variant, Part I

Part I: How to Unpack the Malware App This past January I performed a deep analysis of an Android rootnik malware variant and posted them to this blog. Since then, I have continued to monitor this Android malware family. In early June, FortiGuard Labs found a new variant of the Android rootnik malware that disguises itself as a legal app. It then uses open-sourced Android root exploit tools to gain root access on an Android device. To be clear, this malware was NOT found in Google Play. The developer of the malware app repackaged a legal app...

By Kai LuJuly 09, 2017

Threat Research

Unmasking Android Malware: A Deep Dive into a New Rootnik Variant, Part III

In this final blog in the Rootnik series we will finish our analysis of this new variant. Let’s start by looking into the script shell rsh. Analysis of the script shell Through our investigation we are able to see how the script shell works: First, it writes the content of the file .ir into /system/etc/install-recovery.sh. The file install-recovery.sh is a startup script. When the android device is booted, the script can be executed. The following is the content of the file .ir. Next, it writes some files...

By Kai LuJuly 09, 2017

Threat Research

Unmasking Android Malware: A Deep Dive into a New Rootnik Variant, Part II

In part I of this blog, I finished the analysis of the native layer of a newly discovered Rootnik malware variant, and got the decrypted real DEX file. Here in part II, we will continue our analysis. A look into the decrypted real DEX file The entry of the decrypted DEX file is the class demo.outerappshell.OuterShellApp. The definition of the class OuterShellApp is shown below. Figure 1. The class demo.outerappshell.OuterShellApp We will first analyze the function attachBaseContext(). The following is the function aBC() in the class...

By Kai LuJuly 09, 2017

Threat Research

How to repair a DEX file, in which some key methods are erased with NOPs

During the process of analyzing android malware, we usually meet some APK samples which hide or encrypt their main logic code.  Only at some point does the actual code exist in the memory, so we need to find the right time to extract it.  In this blog, I present a case study on how to repair a DEX file in which some key methods are erased with NOPs and decrypted dynamically when ready to be executed. Note: All the following analysis is based on android-4.4.2_r1(KOT49H). Let’s start our journey! First, I open the classes.dex...

By Kai LuApril 05, 2017

Threat Research

Fortinet Security Researcher Discovers Multiple Critical Vulnerabilities in Adobe Flash Player

I discovered and reported multiple critical zero-day vulnerabilities in Adobe Flash Player last November. This Tuesday, Adobe released a security patch which fixed them.

By Kai LuFebruary 19, 2017