How to find malware on macs using osquery

Posted by Doug Wilson on 10/20/17 12:10 PM
Doug Wilson
Find me on:

There have been several instances where malware has been introduced to OS X machines in the past few months via “supply chain attacks”. This is where a vendor is tricked into distributing, or is compromised in a way, that their legitimate software is either replaced by or includes malware in the distribution bundle. 

Some of these have been addressed in the OS X Attacks query pack for osquery — but say you want to check this right away, without having to wait on an update from someone else. One of the cool things about osquery is that it’s trivial in most cases to grab a couple of indicators from a recent bulletin and use osquery to check your macs using just a little knowledge of SQL.

Taking an example from today: https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/ — we see that there are a couple of files and locations that are unique to this malware instance — instead of waiting on others, we can quickly create a SQL query with the information from the bulletin:

SELECT *
 FROM file
 WHERE path='/tmp/Updater.app/' OR
 path='/Library/LaunchAgents/com.Eltima.UpdaterAgent.plist' OR
 path='/Library/.rand/' OR
 path='/Library/.rand/updateragent.app/';

Deploy this to your osquery endpoints via your distributed query system of choice. Hopefully, you get only an empty response set back. But if you do get a row returned, you can start investigating to see if you have this malware on your system, and you didn’t have to wait for a signature update or other researchers to finish what they are doing. For more examples of how to find macOS malware, check out these posts on finding OSX/Mami and CreativeUpdater

If you want to be more exacting, you can combine this with hash values (also included in the osquery file table), but in this example, we’re looking at something that is fairly unique, and going quickly. If this was something where there was a bigger concern about precision (i.e. the name or location of the file was something that might be more easily confused with a legitimate app), or you didn’t have this distinct of a set of files to look for, you might want to include hashes. But I think this addresses this particular threat quickly and simply, and lets you get back to what you were doing in short order (assuming you don’t find anything).

Topics: osquery, macOS, malware

Uptycs Blog | Cloud Security Trends and Analysis

Welcome! The Uptycs blog is for security professionals and osquery enthusiasts interested in exploring new ideas in cloud security. We hope you'll enjoy our blog enough to subscribe, share and comment.

Follow Uptycs

Subscribe for New Posts

Recommended Reads