Thanks to all of our ATT&CKcon participants. All sessions are here, and individual presentations will be posted soon.

LC_MAIN Hijacking

As of OS X 10.8, mach-O binaries introduced a new header called LC_MAIN that points to the binary’s entry point for execution. Previously, there were two headers to achieve this same effect: LC_THREAD and LC_UNIXTHREAD [1]. The entry point for a binary can be hijacked so that initial execution flows to a malicious addition (either another section or a code cave) and then goes back to the initial entry point so that the victim doesn’t know anything was different [2]. By modifying a binary in this way, application whitelisting can be bypassed because the file name or application path is still the same.

ID: T1149

Tactic: Defense Evasion

Platform:  macOS

Permissions Required:  User, Administrator

Data Sources:  Binary file metadata, Malware reverse engineering, Process monitoring

Defense Bypassed:  Application whitelisting, Process whitelisting, Whitelisting by file name or path

Version: 1.0

Mitigation

Enforce valid digital signatures for signed code on all applications and only trust applications with signatures from trusted parties.

Detection

Determining the original entry point for a binary is difficult, but checksum and signature verification is very possible. Modifying the LC_MAIN entry point or adding in an additional LC_MAIN entry point invalidates the signature for the file and can be detected. Collect running process information and compare against known applications to look for suspicious behavior.

References