Threat Research Report Team

How to Find Malware on Macs Using Osquery

Written by Doug Wilson | Oct 20, 2017 4:10:00 PM

There have been several instances where malware has been introduced to OS X machines in the past few months via “supply chain attacks”. This is where a vendor is tricked into distributing, or is compromised in a way, that their legitimate software is either replaced by or includes malware in the distribution bundle. 

 

Some of these have been addressed in the OS X Attacks query pack for osquery — but say you want to check this right away, without having to wait on an update from someone else. One of the cool things about osquery is that it’s trivial in most cases to grab a couple of indicators from a recent bulletin and use osquery to check your macs using just a little knowledge of SQL.

 

Taking an example from today: 

 

https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/ — we see that there are a couple of files and locations that are unique to this malware instance — instead of waiting on others, we can quickly create a SQL query with the information from the bulletin:

 

SELECT *
 FROM file
 WHERE path='/tmp/Updater.app/' OR
 path='/Library/LaunchAgents/com.Eltima.UpdaterAgent.plist' OR
 path='/Library/.rand/' OR
 path='/Library/.rand/updateragent.app/';

 

Deploy this to your osquery endpoints via your distributed query system of choice. Hopefully, you get only an empty response set back. But if you do get a row returned, you can start investigating to see if you have this malware on your system, and you didn’t have to wait for a signature update or other researchers to finish what they are doing. For more examples of how to find macOS malware, check out these posts on finding OSX/Mami and CreativeUpdater.

 

If you want to be more exacting, you can combine this with hash values (also included in the osquery file table), but in this example, we’re looking at something that is fairly unique, and going quickly. If this was something where there was a bigger concern about precision (i.e. the name or location of the file was something that might be more easily confused with a legitimate app), or you didn’t have this distinct of a set of files to look for, you might want to include hashes. But I think this addresses this particular threat quickly and simply, and lets you get back to what you were doing in short order (assuming you don’t find anything).

 

Related osquery resources: