How to find malware on Macs using osquery

There have been several instances where malware has been introduced to OS X machines in the past few months via “supply chain attacks”. This is where a vendor is tricked into distributing, or is compromised in a way, that their legitimate software is either replaced by or includes malware in the distribution bundle.
Some of these have been addressed in the OS X Attacks query pack for osquery — but say you want to check this right away, without having to wait on an update from someone else. One of the cool things about osquery is that it’s trivial in most cases to grab a couple of indicators from a recent bulletin and use osquery to check your macs using just a little knowledge of SQL.
Taking an example from today: https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/ — we see that there are a couple of files and locations that are unique to this malware instance — instead of waiting on others, we can quickly create a SQL query with the information from the bulletin:
SELECT *
FROM file
WHERE path='/tmp/Updater.app/' OR
path='/Library/LaunchAgents/com.Eltima.UpdaterAgent.plist' OR
path='/Library/.rand/' OR
path='/Library/.rand/updateragent.app/';
Deploy this to your osquery endpoints via your distributed query system of choice. Hopefully, you get only an empty response set back. But if you do get a row returned, you can start investigating to see if you have this malware on your system, and you didn’t have to wait for a signature update or other researchers to finish what they are doing. For more examples of how to find macOS malware, check out these posts on finding OSX/Mami and CreativeUpdater.
If you want to be more exacting, you can combine this with hash values (also included in the osquery file table), but in this example, we’re looking at something that is fairly unique, and going quickly. If this was something where there was a bigger concern about precision (i.e. the name or location of the file was something that might be more easily confused with a legitimate app), or you didn’t have this distinct of a set of files to look for, you might want to include hashes. But I think this addresses this particular threat quickly and simply, and lets you get back to what you were doing in short order (assuming you don’t find anything).
Related osquery resources:
Related Posts
You should be using AWS IMDSv2: Here’s why and how to do it
Subscribe for new posts
Popular Posts
- Building Your Cyber Security Strategy: A Step-By-Step Guide
- 8 Docker Security Best Practices To Optimize Your Container System
- Intro to Osquery: Frequently Asked Questions for Beginners
- SOC 2 Compliance Requirements: Essential Knowledge For Security Audits
- Warzone RAT comes with UAC bypass technique