MacOS Forensic: How to compare malware app (.dmg) with authentic app in MacOS

Let’s consider a scenario in which you as security analyst needs to investigate if a particular endpoint (laptop, desktop or server) has downloaded a malware flash player. Let’s assume you have endpoint protection in your organization and you have received an alert regarding downloaded malware in ‘X’ Machine.

In most of the cases, you would get enough details in endpoint protection software itself however if you are interested in knowing malware behaviour or what is this new malware does then you would following steps:

  • Download fake malware flash player from virus total and also download authentic flash player from adobe site. You can find malware from virus total as well but that is premium service.
  • Open two command prompts side by side and type command like below image. In below snapshot, I have shown how to find metadata info about any dmg file.
codesign -dvv <file-name>

You can check the same code sign information on fake dmg file and compare it. You will get to know a lot of details.

Another method malware vs real Mac OS App

Another good method is to check contents of app. Basically, you have to compare folder & files within each Mac OS application In order to do that follow below steps:

  • Open malware & authentic app by double click and in Mac OS finder windows. Once it is open it like below image..

Right click on app and use “Show Package Contents”. Do it same for authentic app too and compare the folder structure.

This is a bit of forensics about how to extract metadata & details about malware. I hope this helps.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.