Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies.[1] There are tools available to perform these changes.
Adversaries may modify Mach-O binary headers to load and execute malicious dylibs every time the binary is executed. Although any changes will invalidate digital signatures on binaries because the binary is being modified, this can be remediated by simply removing the LC_CODE_SIGNATURE command from the binary so that the signature isn’t checked at load time.[2]
| ID | Mitigation | Description |
|---|---|---|
| M1047 | Audit |
Binaries can also be baselined for what dynamic libraries they require, and if an app requires a new dynamic library that wasn't included as part of an update, it should be investigated. |
| M1045 | Code Signing |
Enforce that all binaries be signed by the correct Apple Developer IDs. |
| M1038 | Execution Prevention |
Allow applications via known hashes. |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0216 | Detection Strategy for LC_LOAD_DYLIB Modification in Mach-O Binaries on macOS | AN0607 |
Detection focuses on unauthorized modification of Mach-O binaries to include LC_LOAD_DYLIB headers pointing to malicious dylibs. Behavior is identified via a chain of file metadata changes, removal of code signatures, and subsequent anomalous dylib loads at runtime. Correlation of file changes with lack of authorized updates and process memory mapping of unrecognized or unsigned libraries is crucial. |