Tag: macos

MalChela v4.1: Mac Malware Analysis Arrives

DFIR, Forensics, Mac, Malware, MITRE ATT&CK, Triage

MalChela v4.1 is out today, and the headline is something I’ve been wanting to tackle for a while: dedicated Mac malware analysis tooling. If you’ve been following the channel or the blog, you know MalChela started as a triage-first toolkit aimed at the kinds of samples that show up in Windows-centric IR engagements. That coverage was never the full picture. Mac malware — infostealers, adware loaders, APT implants — has become too common to treat as an edge case. v4.1 is the start at addressing that directly.

New Tools: Mac Analysis

Three new tools land in this release, each targeting a different layer of Mac binary analysis. All three are available in the PWA under the Mac Analysis heading, accessible via CLI shortcodes, and included in the release scripts.

codesign_check (cs)

macOS code signatures are one of the first things worth checking on any suspicious binary. codesign_check accepts either an .app bundle or a bare Mach-O and reports signature status (Developer-signed, Ad-hoc, or Unsigned), Bundle ID, Team ID, and entitlement presence — including the get-task-allow flag that marks debug and development builds. It also verifies the _CodeSignature/ and CodeResources directory structure.

Indicators flagged: missing CMS blob, CS_ADHOC flag, absent Team ID, and get-task-allow entitlement. FileMiner now suggests Code Sign Check automatically for all Mach-O files in a scan. (Planned feature: adding a certificate revocation check).

plist_analyzer (pa)

Parses macOS .plist files and .app bundle Info.plist for static malware indicators. This release includes four new detections:

  • LSUIElement / NSUIElement = true — app runs as a hidden background agent with no Dock icon. Both the modern LSUIElement and legacy NSUIElement (integer 1) forms are now detected, covering older macOS malware that used the pre-Sierra key.
  • NSAllowsArbitraryLoads = true — App Transport Security disabled, a classic C2 channel indicator.
  • CFBundleURLTypes with custom URL schemes — flags non-standard scheme registrations used for persistence or inter-process communication.
  • CFBundleSignature = ‘????’ — no creator code set, common in unsigned tools and malware.

macho_info (mo)

Parses thin and fat/universal Mach-O binaries and reports: architecture, linked libraries, section entropy, symbol status, RPATH entries, __PAGEZERO integrity, and PIE/ASLR flags.

This release also adds deprecated crypto library detection: macho_info now flags linkage against end-of-life OpenSSL libraries (libcrypto.0.9.8libssl.0.9.8, and variants). There’s no legitimate reason for a modern binary to link these — flag it and investigate further.

mStrings — Mac Tuning

Running mStrings against Mach-O binaries previously produced a lot of noise: ObjC runtime stubs, Swift mangled symbols, and Apple system library paths that add volume without adding signal. A new is_objc_swift_noise() filter suppresses these categories:

  • _objc_* runtime stubs
  • @_* import stubs (including @_LSSharedFileList*, which was previously surfacing as false-positive filesystem IOCs)
  • Swift mangled symbols (_$s*_T0swift_*)
  • Apple system dylib paths under /System/Library/Frameworks/ and /usr/lib/swift/
  • ObjC type encoding strings

Alongside the noise filter, 12 new Mac-specific MITRE detection rules have been added to detections.yaml:

RuleTechnique
MacLaunchAgentDaemonPersistenceT1543.001
MacLoginItemPersistenceT1547.015
MacShellProfileInjectionT1546.004
MacCronJobPersistenceT1053.003
MacDylibInjectionT1574.006
MacKeychainAccessT1555.001
MacAppleScriptExecutionT1059.002
MacUnixShellExecutionT1059.004
MacPrivilegeEscalationT1548.004
MacSystemDiscoveryT1082
MacSandboxVMEvasionT1497.001
MacSensitiveFileAccessT1005

Mac path extraction also gets a dedicated regex: re_mac_path captures filesystem IOCs in Mac-style paths (.sh.py.dylib.plist.app.pkg.command) under /Users//Library//tmp/, and related directories.

FileMiner — Session Persistence

FileMiner scan results now persist across browser close and refresh. Results, the analyzed path, and the set of executed sub-tools survive in localStorage automatically. On each scan, a session.json is also written server-side to saved_output/fileminer/ — or to the active case folder under saved_output/cases/<case>/fileminer/ when Save to Case is checked.

Load Session button in the FileMiner options bar opens a file browser pre-navigated to the correct session directory. Selecting a session.json restores the full results table and re-populates the path input. Like the previous GUI, fileminer now tracks tool runs for suggested tools (green indicates tool report already generated).

MalChela v4.1 is available now on GitHub. As I said this is just the start of the macOS malware support. I’m looking forward to taking this much further.

Toby-Find: Simplifying Command-Line Forensics Tools

DFIR, Forensics, Malware, Memory Analysis, Raspberry Pi, Triage

In digital forensics, we often take a toolbox approach — success hinges on having the right tool for the job. Some tools offer broad functionality, while others are deeply specialized. Distributions like KALI and REMnux do a fantastic job bundling a wide range of forensic and security tools, but keeping track of what’s actually installed can be a challenge.

If you’re using a graphical interface, browsing through available packages is fairly intuitive. But when you’re living in the terminal — as many analysts do — that discoverability disappears. There’s no built-in index of command-line tools or how to invoke them.

The first version of Toby-Find was born out of necessity. I teach a Network Forensics course at the university, using a custom VM loaded with tools like Zeek, Tshark, Suricata, and more. I wanted students to have an easy, searchable way to see what CLI tools were available and how to run them — without needing to memorize commands or dig through man pages.

Later, when I built Toby (a forensic-focused Raspberry Pi rig running a customized KALI install), I updated Toby-Find to include the complete CLI toolset geared toward forensics and malware analysis from the KALI ecosystem.

And because I can’t leave well enough alone, I decided to build a REMnux-compatible version too.

Once installed, you can launch Toby-Find (via tf, toby-find, or tf-help) from any terminal and instantly search for tools, descriptions, examples, and more.

Toby-Find on REMnux
Toby-Find on Kali

📦 Installation

1. Clone the repository:

git clone https://github.com/dwmetz/Toby.git

2. Make the install script executable:

cd Toby
chmod +x install.sh

3. Run the installer:

./install.sh

4. Follow the prompt to choose your environment (KALI or REMnux)
5. Open a new terminal or run:

source ~/.bashrc   # or ~/.zshrc depending on shell

🚀 Usage

tf [keyword]

Examples:

tf yara
tf volatility
tf hash

To view the full list:

tf-help

Whether you’re working from a custom VM, a rugged Pi, or a hardened REMnux box, Toby-Find gives you a fast, terminal-friendly way to surface the tools at your disposal — without breaking focus. It’s lightweight, portable, and easy to extend for your own lab or classroom.

You can grab the full installer from GitHub, and contributions are always welcome. If you find it helpful — or build on it — I’d love to hear about it.