Modern macOS userland runtime analysis

Abstract The continued rise of Apple's macOS in both the home and workplace has led to a significant rise in the capabilities of both malware and attacker toolkits that target the operating system and its users. Over the last several years there have been numerous documented instances of macOS users being targeted by governments, intelligence agencies, and criminal groups, and the end results of these attacks were the victims having highly sophisticated malware installed on their systems. Unfortunately, the rise of these threats has not been met with an equal research and development effort by the memory forensics community. This has led to a gap in automated analysis in memory forensic frameworks and has left inexperienced investigators with little chance of detecting the malware's presence. Even for experienced investigators, detection was still difficult in many circumstances and require significant manual investigation for a chance at success. This paper documents our research effort to close this gap through the development of novel memory forensic capabilities aimed at detecting advanced, real-world malware that targets macOS systems. This research was driven through analysis of numerous malware samples that were used as part of espionage and criminal attack campaigns, and the end result was three new Volatility plugins that automate the detection of such malware. By leveraging these plugins, investigators of all skill levels can detect macOS userland malware in an automated, scalable, and flexible manner.