Meet the speaker
Sergei manages a global team of cyber-threat researchers, focused on Android, Linux, and macOS platforms.
Sergei Shevchenko has more than 18 years of professional experience reverse engineering malware and is a recognized expert in his field. His analysis of high-profile malware attacks, including previous years' Bangladesh Bank heist, attacks on Polish and other banks, recent cyber espionage within managed service providers and ransomware attacks affecting thousands of vital service organizations globally, is the go-to information source for risk and technology officers and their teams around the world. At SophosLabs, Sergei manages a global team of cyber-threat researchers, focused on Android, Linux, and macOS platforms.
One of the fairly popular macOS bundleware exemplars presented in this research employs techniques that any seasoned threat researcher will find ... rather amusing. Not only does it employ anti-debugging, strings/API encryption and Mach-O runtime decompression techniques, its developers went as far as embedding a full backdoor component into the installer, granting it capabilities that extend way beyond what one might expect from a piece of installation software. In this talk, we'll dive into the installer's Mach-O binary to demonstrate how it piggy-backs on 'non-lazy' Objective-C classes, the way it dynamically unpacks its code section in memory and decrypts its config. An in-depth analysis will reveal the structure of its engine and the full scope of its hidden backdoor capabilities, anti-debugging, VM evasion techniques and other interesting tricks that are so typical to the Windows malware scene, but which aren’t commonly found in the unwanted apps that claim to be clean, particularly on the Mac platform. This talk will reveal practical hands-on tricks used in Mach-O binary analysis under a Hackintosh VM guest, using LLDB debugger and IDA Pro disassembler, along with a very interesting marker found during the analysis.