Results for Mac OS

Threat Research

Detailed Analysis of macOS/iOS Vulnerability CVE-2019-6231

On Jan 22, 2019, Apple released macOS Mojave 10.14.3 and iOS 12.1.3. These two updates fixed a number of security vulnerabilities, including CVE-2019-6231 found in QuartzCore (aka. CoreAnimation). This blog provides a detailed analysis of this issue.

By Kai LuJanuary 24, 2019

Threat Research

A Look into XPC Internals: Reverse Engineering the XPC Objects

We have recently been engaged in deep security research on macOS for FortiGuard Labs focused on the discovery and analysis of IPC vulnerabilities. In this blog, we uncover the XPC internals data types to help researchers not only quickly analyze the root causes of XPC vulnerabilities, but to also assist with deep analysis of exploits targeted at those vulnerabilities.

By Kai LuDecember 14, 2018

Threat Research

Cookie Maker: Inside the Google Docs Malicious Network

FortiGuard Labs recently discovered a running Google Docs malware campaign that uses the names of Fortinet and FortiGuard. When we examined the documents, we encountered a long chain of redirects inside a malicious network, and the destination of this chain was dependent on our IP and the user-agent that was used. This malicious network targets all major platforms: Windows, Android, and MacOS.

By Artem SemenchenkoNovember 21, 2018

Threat Research

Analysis: Inspecting Mach Messages in macOS Kernel-Mode Part II: Sniffing the received Mach messages

In part I of this blog, we discussed how to inspect the sending of Mach messages in kernel-mode perspective. In part II, I will continue to define how to inspect received Mach messages by setting up a kernel inline hook.

By Kai LuOctober 26, 2018

Threat Research

Analysis: Inspecting Mach Messages in macOS Kernel-Mode Part I: Sniffing the sent Mach messages

Mach IPC and Mach message are the foundation for many communications that occur in macOS. The question that many threat researchers ask is, “how can we inspect these Mach messages in user-mode or kernel-mode perspective?”

By Kai LuOctober 26, 2018

Business and Technology | Threat Research

FortiAppMonitor: A Powerful Utility for Monitoring System Activities on macOS

FortiAppMonitor is a freeware utility developed and released by Fortinet designed to monitor the behaviors of programs on macOS.

By Kai LuAugust 16, 2018

Business and Technology

Tool Showcase at Black Hat USA 2018 - FortiAppMonitor

Fortinet researcher Kai Lu will present and showcase an application behavior monitoring tool for researchers named FortiAppMonitor for macOS.

By FortinetAugust 06, 2018

Threat Research

Monitoring macOS, Part I: Monitoring Process Execution via MACF

Over the years, the FortiGuard Labs team has learned that it is very common for macOS malware to launch a new process to execute its malicious activity. So in order to more efficiently and automatically analyze the malicious behaviors of malware targeting macOS, it is necessary to develop a utility to monitor process execution. The MACF on macOS is a good choice to implement this utility. The Mandatory Access Control Framework - commonly referred to as MACF - is the substrate on top of which all of Apple’s securities, both macOS and iOS, are implemented. In this blog, I will detail the implementation of monitoring process execution, including command line arguments, via MACF.

By Kai LuMarch 30, 2018

Threat Research

Monitoring macOS, Part II: Monitoring File System Events and Dylib Loading via MACF

In the previous blog from FortiGuard Labs in this series, we discussed how to monitor process execution with command line arguments using MACF on macOS. In this blog, we will continue to discuss how to monitor file system events (including file open, read, write, rename, and delete operations) and dynamic library loading via MACF on macOS. I will provide all the technical details below. Let’s get started!

By Kai LuMarch 30, 2018

Threat Research

Monitoring macOS, Part III: Monitoring Network Activities Using Socket Filters

In the two previous blogs in this series from FortigGuard Labs, we discussed how to monitor process execution with command line arguments, file system events, and dylib loading events using MACF on macOS. In this blog, we will continue to discuss how to monitor network activities (another significant behavior for malware) using Socket Filters (a part of the Network Kernel Extension) on macOS. The network activities to be monitored include UDP, TCP, ICMP, DNS query, and response data. I provide all the technical details below, so let’s get started again!

By Kai LuMarch 30, 2018