Binary facades: script extraction from compiled macOS malware - Patrick Wardle (Objective-See)

Описание: Binary facades: script extraction from compiled macOS malware

Presented at the VB2025 conference in Berlin, 24 - 26 September 2025.
↓ Slides: https://www.virusbulletin.com/uploads...
↓ Paper: N/A
→ Details: https://www.virusbulletin.com/confere...

✪ PRESENTED BY ✪

• Patrick Wardle (Objective-See)

✪ ABSTRACT ✪

When confronted with malicious macOS binaries, analysts typically reach for a disassembler and immerse themselves in the complexities of low-level assembly. But what if this tedious process could be skipped entirely?

While many malware samples are distributed as native macOS binaries (easily run with a simple double-click), they frequently encapsulate scripts hidden within executable wrappers. Leveraging frameworks such as PyInstaller, Appify, Tauri, and Platypus, malware authors embed their scripts with binaries, complicating traditional analysis. This technique has become increasingly common, reflecting a broader trend of macOS malware authors diversifying their tooling and approaches to evade detection and hinder analysis. Although these frameworks share the goal of producing natively executable binaries, each employs a distinct method to embed scripts, thus necessitating tailored extraction tools and approaches.

Using real-world recent macOS malware (such as Shlayer, CreativeUpdate, GravityRAT, and others), we'll first demonstrate how to identify these "faux binaries" and then how to efficiently extract or reconstruct their embedded scripts, bypassing the disassembler entirely!