Persistence and Detection - a FinSpy story

How malware gets a foothold on macOS (usually referred to as “gaining persistence”) is a continuous area of research for malware analysts. Authors keep getting more sophisticated on how to ensure their software is not easily removed or detected.

Sadly, the extensive research on how malicious actors gain persistence on Windows does not help us in detecting malware on Macs. And the techniques to hide their software are once again completely different than what actors use on Windows.

Interestingly, it’s not just malware that attempts to get a strong foothold on a system and hide its existence. A number of Potentially Unwanted Programs (PUPs), spyware and adware use the same techniques and are oftentimes the first place we see novel persistence mechanisms implemented. In a series of reports over the weekend, Amnesty International and Jamf Principal Security Researcher Patrick Wardle released their research into an application known as FinSpy (published by FinFisher). This application is often referred to as spyware since it is used as surveillance software by governments and law enforcement around the world. For the sake of efficiency, we’ll use the term “spyware” to refer to the surveillance application in question for the rest of this blog.

Gaining Persistence

For a full rundown of how the application gets persistence and attempts to hide its existence, please head over to Patrick’s blog. Here we’ll look at some of the high-level techniques employed:

• The spyware has to be installed on a victim’s computer, and as such it is dependent on getting the user to run an installer. In this specific example, this was accomplished by hiding the spyware in an installer that also housed an installer for a legitimate application that the targeted user would recognize. By performing the installation of the spyware at the same time as the legitimate software, any unusual activity (such as needing admin privileges) could be explained away:

• Once installed, the spyware registers a LaunchAgent to ensure it stays running on the device. However, the spyware is not signed. This can therefore be used to identify a potential risk on the device.
• To hide the running spyware, a kernel extension (kext) is installed on the device. This piece of software is designed to ensure that normal system monitoring tools like Activity Monitor and many security tools do not see the processes related to the spyware. Apple has recently made kexts much more difficult to use for this purpose since they now are required to be signed and notarized. The kext analyzed in the reports is neither of these things, and will therefore not load on macOS Catalina or later unless an administrator pushes specific policies to the machine or the user agrees to run the kext on reboot.

Detecting Persistence

Determining that something has gained persistence on a device is easy. Identifying that something potentially malicious has gained persistence is hard. Many legitimate applications leverage persistence mechanisms to ensure they are running after every reboot of the Mac in question.

So what can we learn from this research on how to determine if a potentially malicious application or spyware has taken up residence on your device? There are a few things to look for:

• This specific spyware creates some very indicative files on the Mac. The existence of any of these files is a very good indicator that it is active on the device:
  • /private/etc/logind
  • /Library/LaunchAgents/logind.plist
  • logind.kext (likely in /Library/Extensions/)
• Any LaunchAgent that points to an unsigned binary should be cause for concern. Most legitimate applications that register as LaunchAgents are signed, since a user has to specifically request that unsigned applications are run (through something like a right click→Open on the file). Routinely looking for installed applications or LaunchAgents along with their signing information and comparing them to accepted software in use in your organization can be a powerful way to identify unwanted software.
• Applications that attempt to monitor a user usually use a number of common taps into macOS such as the accessibility subsystem. If your security software can monitor these taps for things like key loggers, process monitors, etc., then this is a viable way to detect certain types of spyware.

Hashes related to this specific spyware can be found in Patrick’s technical research.

How can Jamf help?

Jamf Protect today prevents the execution on protected Macs of the installer so that this specific piece of spyware cannot set up persistence. To ensure that similar approaches are not taken by other malware or spyware, Jamf Protect detects the common persistence mechanisms outlined in the research. Jamf Protect will also help provide insight into new LaunchAgents registering, Gatekeeper blocking unsigned applications, and general adherence to OS hardening benchmarks on protected Macs.

With Jamf Pro’s feature set and Jamf Protect’s ability to monitor the unified log on Macs remotely, you can be sure that you understand what is happening and what software is running on your fleet.