LC_MAIN Hijacking

From enterprise
Jump to: navigation, search
LC_MAIN Hijacking
Technique
ID T1149
Tactic Defense Evasion
Platform MacOS, OS X
Permissions Required User, Administrator
Data Sources Binary file metadata, Malware reverse engineering, Process Monitoring
Defense Bypassed Application whitelisting, Process whitelisting, Whitelisting by file name or path

As of OS X 10.8, mach-O binaries introduced a new header called LC_MAIN that points to the binary’s entry point for execution. Previously, there were two headers to achieve this same effect: LC_THREAD and LC_UNIXTHREAD 1. The entry point for a binary can be hijacked so that initial execution flows to a malicious addition (either another section or a code cave) and then goes back to the initial entry point so that the victim doesn’t know anything was different 2. By modifying a binary in this way, application whitelisting can be bypassed because the file name or application path is still the same.

Mitigation

Enforce valid digital signatures for signed code on all applications and only trust applications with signatures from trusted parties.

Detection

Determining the original entry point for a binary is difficult, but checksum and signature verification is very possible. Modifying the LC_MAIN entry point or adding in an additional LC_MAIN entry point invalidates the signature for the file and can be detected. Collect running process information and compare against known applications to look for suspicious behavior.