macOS Malware Analysis for Reverse Engineers

Most malware analysts and incident responders either lack the equipment or knowledge to dissect macOS malware. With increasing corporate use of MacOS devices, organizations must be prepared to analyze malware and threats that target macOS.

This course uses a practical, hands-on approach to introduce the tools and methodologies learners need to analyze malware that targets the macOS platform.

Course topics include macOS specific static and dynamic analysis tools and techniques to quickly uncover host and network-based indicators, analysis of compiled Objective-C code and Cocoa applications using IDA Pro and the use of the lldb debugger in dynamic analysis. Demonstrations and hands-on labs with real malware will enable learners to immediately apply this knowledge.

Learning Objectives

After completing this course, learners should be able to:

  • Learn macOS internals relevant to malware analysis
  • See how to create a safe malware analysis environment in macOS
  • Explore the tools and methodologies used to perform basic analysis, and extract host and network-based indicators from malware without running it
  • Discover tools and methodologies used to analyze malware behavior by executing it in a safe environment
  • Acquire disassembly techniques specific to Objective-C executables
  • Practice malware debugging in the macOS environment and how it can be used to monitor and change its behavior at run time

Who Should Attend

Malware analysts, incident responders, Intel analysts, information security staff, forensic investigators, or others requiring an understanding of how macOS specific malware works and how to analyze it.

Prerequisites

Training or experience in Windows malware analysis, familiarity with object-oriented programming, the x86 architecture, IDA Pro and Unix-like operating systems is required.

What to Bring

Students must bring their own MacBook with VMware Fusion 7+ installed. Laptops should have at least 30GB of free space. A currently licensed copy of a fully-updated IDA Pro that supports the x86_64 architecture is required. It can be for any OS, as long as it is accessible on the MacBook.

Duration

2 days

Instructor-Led Training Instructor-Led Training

Courses cannot be purchased or accessed from this site.

If you would like to register for this course, please contact your FireEye account manager.

Thank you.