XUnprotect: Reverse Engineering macOS XProtect Remediator

XUnprotect: Reverse Engineering macOS XProtect Remediator

MediaVideo
Yanac

The macOS threat landscape has changed considerably in recent years with the ever-increasing prevalence of macOS malware. In response, Apple has expanded the capabilities of XProtect by introducing new features such as XProtect Remediator (XPR) and XProtect Behavior Service. XPR periodically scans to remove malware and restores infected devices. However, due to a lack of detailed reverse engineering efforts, its detection or remediation capabilities remain unclear.

In this presentation, we share our reverse engineering results of XPR. Since XPR binaries are stripped Swift binaries, the detailed analysis was challenging. We developed custom tools for static and dynamic analysis of Swift binaries, which allowed us to perform a thorough investigation. Our analysis uncovered intriguing detection logics that go beyond the previously known simple scanning using YARA rules. These include a creative mechanism that employs OCR to detect malware performing a Gatekeeper bypass. Furthermore, our examination revealed Apple-exclusive threat intelligence, including information related to malware believed to be the TriangleDB macOS implants. Remarkably, we discovered that XPR’s detection logic is described with a custom DSL using Swift Result Builders—the same technology that powers SwiftUI’s declarative syntax. Our analysis of the DSL demonstrated that it significantly helps in understanding the details of XPR’s detection logic.

In addition, we revealed a novel mechanism—Provenance Sandbox—that XPR uses to track the origin of remediated files. This provenance information serves as a valuable forensic artifact even for third-party security vendors.

This presentation provides valuable insights into XPR internals for blue teams working on macOS security. The tools being introduced will help security researchers analyze future XPR updates to obtain Apple’s threat intelligence included in XPR. Additionally, information on XPR vulnerabilities and Provenance Sandbox bypasses will benefit red teams.

By:
Koh Nakagawa | Security Researcher, FFRI Security, Inc.

Presentation Materials Available at:
https://blackhat.com/us-25/briefings/schedule/?#xunprotect-reverse-engineering-macos-xprotect-remediator-44791Black HatRead More