Background:
Analyzing macOS malware can be challenging, especially when dealing with macOS native file types like PKG files. When I started macOS malware analysis, I couldn't find any resource available except Patrick Wardle's book "The Art of Mac Malware Vol 1" In this article, I will guide you through the intricacies of PKG file analysis which will enhance your macOS Malware Analysis skills.
What is a PKG file?
A Package file often called as PKG file is a package file format used primarily on macOS and iOS systems to install an application.
Are also referred as "flat packages".
You can refer PKG files as the "EXE/MSI/MSIX Installer files" of the 🍏 world! :)
PKG files are a compressed xar archive
malware@malware % file Aftermath.pkg
Aftermath.pkg: xar archive compressed TOC: 4138, SHA-1 checksumPKG Files are signed using a digital signature (a developer certificate issued by Apple)
⚠️ It is always advised to do analysis in the native environment of the executable i.e macOS executable in a macOS environment ⚠️
Why are PKG files commonly used by Threat Actors?
It does not require mounting like DMG files!
It can be directly opened and installed :)
No need to drag and drop like dmg installer files.
It is super easy to install using the command line! (Ideal for Threat Actors having CLI access!)
How to install a PKG file via CLI?
sudo installer -pkg <filename.pkg> -target /ApplicationsPassword:installer: Package name is Aftermathinstaller: Upgrading at base path /installer: The upgrade was successful.They can be repurposed for malicious purposes😈
Can be disguised as Drivers
Commonly printer drivers
This may not appear as an icon in your /Applications so it's a sweet hiding place :)
Most of them will not have uninstallers to uninstall the installed applications
Even if you feel that the installed pkg file doesnt work, you would not be able to uninstall it unless you have Terminal knowledge!
Includes pre-installation and post-installation scripts
It is usually in Bash script/scripts
Why?
Because bash is readily available on macOS and does not require to install it separarely to run or has any dependency on third party libraries.
However PKG files can also contain other scripts like
Python
Perl
AppleScript
Ruby Scripts
Sometimes you may find other files inside a PKG file like:
PKG files
ZIP files
dylibs
Provision Profile
PKG File Structure:
A PKG file is a self-contained file, i.e., it includes all the files and resources required for software installation. Here’s an overview of the typical structure of a PKG file:
Package Info Files: These files contain metadata about the package, such as the package name, version, and installation requirements.
PackageInfo
Distribution
Payload: This directory contains the files that will be installed on the target system. It includes the actual application files, libraries, and other resources.
Payload
Applications
Library
bin
Scripts: These are the scripts that run during the installation process.
preinstall (Pre-installation script)
postinstall (Post-installation script)
preremove (Pre-removal script)
postremove (Post-removal script)
Apart from the primary installation scripts, this directory can contain other types of scripts, like Python, Perl, AppleScript, and Ruby, used to perform specific tasks during installation.
preinstall
postinstall
Bom Files: These files are known as Bill of Materials (BOM) and are used to keep track of the files and directories included in the package.
BOM
Resources: This directory contains additional resources needed for the installation, such as localization files (local/internal languages) and images.
Resources
en.lproj
fr.lproj
images
Signature: This file contains the digital signature of the package, ensuring its authenticity and integrity.
Signature
Analyzing PKG Files:
It goes without saying that "Always analyse suspicious file inside a sandbox". You do not want to get your corporate device infected or trigger any EDR/XDR alerts :) .
There are 4 ways to analyze a PKG file:
CLI
GUI
Automated
Dynamic Analysis
CLI analysis of PKG files:
Using pkgutil
This is a very powerful inbuilt system utility on macOS located at /usr/sbin/.
You can explore on how this utility can be useful by checking pkgutil man page in macOS terminal
For analysis of a suspicious PKG file, the below commands will be of great help:
Extract any Bom files from the pkg
Validate the signature of the pkg at PATH and print certificate information
List the paths archived within the (m)pkg at PA
List all currently installed package IDs on --volume (on the macOS)
Using ipsw pkg
IPSW project developed by blacktop is called "iOS/macOS Research Swiss Army Knife"
It is used to download and analyze the firmaware of iOS and macOS for various purposes. Some of them are:
IPSW downloader/exploder
OTA downloader/exploder
macho parser
ObjC class-dump
Swift class-dump 🚧
dyld_shared_cache parser
kernelcache parser
img4 parser/decrypter
device-tree parser
ARM v9-a disassember
research tool
Below is the man page of ipsw pkg which assits in Listing the contents of a DMG/PKG file. This is a work-in-progress tool 🚧 hence not all features are working at the moment
ipsw pkg -h 🚧 List contents of a DMG/PKG fileUsage: ipsw pkg PKG [flags]Flags: -a, --all Show all contents -b, --bom Show BOM -d, --dist Show distribution -f, --flat Do NOT preserve directory structure when extracting with --pattern -h, --help help for pkg -o, --output string Output folder -p, --pattern string Extract files that match regex -l, --pay Show Payload -s, --scripts Show scriptsGlobal Flags: --color colorize output --config string config file (default is $HOME/.config/ipsw/config.yaml) --no-color disable colorize output -V, --verbose verbose outputFor analysis of a suspicious PKG file, the below commands will be of great help!
Listing BOM
Show all contents of a PKG file
Using spctl
Check the code-signing information from native macOS utlity spctl
malware@malware % spctl -a -vvv -t install Aftermath.pkgAftermath.pkg: acceptedsource=Notarized Developer IDorigin=Developer ID Installer: Jaron Bradley (C793NB2B2B)GUI Analysis of PKG Files
Using What's Your Sign?
This is one of the best tools for quickly checking the signature of the file
This is an open-source tool from Objective-See Foundation
Tool available at: https://objective-see.org/products/whatsyoursign.html
Whats Your Sign? Features:
Signature check
Hash check
Entitlements check
Direct integration into Finder.app so you can just right click on a file and open it!
Using Suspicious Package
This is one of my favorite tools for inspecting a PKG file.
This tool is developed by Mothers Ruin Software
Tool available at: https://www.mothersruin.com/software/SuspiciousPackage/
Suspicious Package Features:
You can Inspect the PKG without actually installing it!
Export Files of Interest for further analysis
Easy to use GUI for navigation and easy to understand
Quick View of the files located inside it without opening/executing it (just press space to view the contents of a file)
Ease of checking the Metadata like:
Developer ID
Notarizaton Ticket
Install Scripts
Executbable architecture
File size
BOM
Using Pacifist
One of the best tool I've found for file analysis
Tool developed by CharlesSoft
Tool available at: https://www.charlessoft.com/
Benign PKG file Analysis:
Malicious PKG File Analysis:
Pacifist Features:
Inbuilt file and hex viewer (just press space to check the contents)
Export files
Supports other file types like .zip, .tar, .cpio or .xar archive or disk image along with .pkg file.
Can open a package, archive or disk image remotely over the internet (without actually downloading it)
File Verify
You can verify if the PKG/DMG file was installed on your machine using this cool feature!
Fig 10. Verify feature of Pacifist 
Fig 10.1 Verify file feature Fig 10.1 shows the output of Verify. Im this case, the package was not installed on the disk hence it displays 2 of 462 files present on disk. (These files are the original pkg files present on the machine used for analysis).
Fig 10.2 Output after clicking Verify from Pacifist.
Analyze Existing System Installations which includes files intalled via third-party installers (This will display all of your installed Applications, Frameworks, Extensions):
Frameworks
Applications (installed via App Store or not)
Extensions
Preference Panes
All Installations (.pkg files)
Automated analysis of PKG files:
The easiest way to drop it in automated malware analysis sandboxes like VMRay, Intezer, Anyrun, Joe Sandbox, Crowdstrike Falcon, VirusTotal by considering your organization's OPSEC policy.
The other way is executing it in a macOS VM/Sandbox using SiliconBox CLI.
This will generate the logs which can be used for further analysis
This is a dynamic analysis tool hence try it inside your macOS sandbox :)
Tool available at: https://thesiliconbox.com/community-edition/
Analyzing PKG file using SiliconBox CLI:
Prerequsites:
Make sure you provide Full Disk Access from Setting to Terminal
Run as root
Fig 11. Automated analysis of PKG file using SiliconBox Command to use:
siliconbox <file.extension> -t <time> -r sane -aOutput:
All the logs are captured in /tmp directory
Analyze these file in your text editor/viewer and Wireshark to parse the pcap file.
Analyse the raw ES logs (JSON) in SpriteTree
SiliconBox Features:
Works only on ARM64 based machines
Verbose log output. (can be utilized later for analysis)
Logs captured:
ESLogs
AppleUnified Logs
Network traffic is captured which can be used for analysis
Parsed and saved in separate text file containing all inbound and outbound network connections
Dynamic analysis of PKG files:
Load the file in macOS sandbox with monitoring tools installed on it.
I love using Red Canary's Mac Monitor tool for monitoring and analyzing the activity!
Tool available at: https://github.com/redcanaryco/mac-monitor
This tool captures the ES Logs and represents a GUI for analyzing it
Mac Monitor Features:
Captures ES Logs via Security Extension
Event correlation
Process grouping
Artifact filtering
Telemetry export
Using Windows for PKG File analysis:
What if you do not have a macOS?
Don't worry, you can still analyse PKG file on Windows but with certain limitations like:
Signature details
Entitlements
Since a .pkg file is a compressed xar archive, you can use 7zip to extract it and get all the contents of the file. Just double click the file to go inside the directory and you can check all the contents and export it for your analysis!
What to look out for while analyzing a PKG file?
Signature
If signed:
Is the file signed?
Who is the signer?
Search for the Developer/Team ID in VT/any other Threat Intel Platform to check the reputation about the developer
Use spctl command
spctl -a -vvv -t install <file.pkg>
If not signed, it should ring some bells 😈
Not every unsigned file would be malicious 'coz developers build their own pkg files locally for testing purposes (It doesnt make sense to sign your file while testing, only the final build/version gets signed when it is ready to be shipped!)
Is there a Notarization ticket stapled?
If yes when was it Notarized?
What is the architectures of the file?
Is it Intel or ARM or both?
Analyze the file dynamically accordingly in the sandbox
Entitlements requested
Check out and search about entitlements.
Some entitlements just dont belong to that application!
Does it contain any install scripts?
Check for postinstall and preinstall scripts. These would be bash scripts normally.
So, determine the capability of it by analyzing it manually or using AI! :)
Check for BOM name
Identify the BOM name and later check during dynamic analysis if this exists on the machine. This is a good indication that the package file was installed.
BOM files are always located with a bom extension at:
/private/var/db/receipts/<filename.bom>
How macOS Sequoia changed the PKG file use and abuse?
Before macOS Sequoia, PKG files used to run just fine.
In and after macOS Sequoia it changed how PKG file is run and executed.
Once you double click a PKG File, it is usually scanned by Apple's security feature called Gatekeeper and prevents it from opening and displays the following popup.
You would need to go to Settings --> Privacy & Security and Click Open Anyway in order to run the PKG file
Once again click Open Anyway on the popup and enter your macOS password.
