Why SiliconBox?

A physical malware analysis sandbox for macOS. So why did we decide to build a solution that would turn a nice clean Macbook into a place to detonate the dirtiest stuff we can find targeting MacOS users?

TL;DR: Existing solutions either don’t offer features we want or are crazy expensive. Or both. Plus we thought it could be fun.

For the more interested, we also went through a bunch of options out there. Here is a shortlist of arguably the most known existing sandboxing solutions. Note that we only cover those options that provide at least some kind of MacOS support. The list is not exhaustive as we can’t claim to know about everything that’s out there.

What we wanted and what we checked for in the solutions:

  • MacOS version & architecture support – can I run my samples on the latest OS version and on Apple Silicon?
  • Ease of use – can I get, for example, a starting SOC analyst to execute a sample and get results as easily as checking a hash on VirusTotal?
  • Report – is the report clear, readable, provide actionable output for quick triage?
  • File type support – can I only execute Mach-O binaries or something more custom like DMG, PKG, Apple script files? Maybe even visit a site with a nice JavaScript triggering a WebKit exploit?
  • Customizable – can we configure parameters like running time, interactivity, custom programs installed?
  • Cost – can I buy a car with the money required to get a license?
  • X-factor – what makes the solution shine out compared to other solutions available?

Responsible disclosure: we trialed only the free versions, price estimates for paid licenses are from various online forums and message boards. We won’t link them as they can be found easily with a bit of Google dorking.

Tria.ge

Malware analysis sandbox from former developers of Cuckoo sandbox. Provides sandboxes for Windows, Linux, Android, and macOS.

  • MacOS version & architecture support – MacOS version provided is 10.15 (Catalina), architecture is Intel. Considering that Apple has finished migration from Intel architecture to Arm, and latest OS version has the number 14 – not ideal.
  • Ease of use – pretty straightforward, no problems encountered in getting started.
  • Report – not too shabby, the cloud option provides a general view, signatures view, process listing, networking requests, MITRE ATT&CK Matrix (albeit a bit outdated), and my favorite is the replay monitor. A bit too verbose though, contains unnecessary data (listing of normal MacOS activity).
  • File type support – limited but covers the main ones – APP, DMG, ELF, Mach-O, PKG, SCPT.
  • Customizable – options exist to configure networking, set a timeout, can interact with the machine remotely.
  • Cost – I can’t buy a proper house but a decent caravan is possible.
  • X-factor – I would say the live interaction with the device really caught my eye.

All in all a nice solution, especially the possibility to interact with the machine during analysis. Appreciate the option to use it for free as well. Some samples didn’t detonate, for example, a DMG containing the infamous AMOS InfoStealer – couldn’t get it to accept a password. Also the solution is one of the priciest options out there.

Hybrid Analysis

Hybrid Analysis is a free malware analysis service developed by Payload Security. They advertise themselves as a free malware analysis service for the community that detects and analyses unknown threats using a unique Hybrid Analysis technology.

Payload Security along with Hybrid Analysis was acquired by CrowdStrike, a global US-based cybersecurity service provider with a wide range of offerings, in 2017.

  • MacOS version & architecture support – we’re greeted again with OS version 10.15 (Big Sur that succeeded it brought big changes) running on, you guessed it, Intel. Note that the free version doesn’t support MacOS at all.
  • Ease of use – couldn’t trial the MacOS version but seems pretty straightforward, reminds me VirusTotal.
  • Report – report available in the cloud portal with static and dynamic analysis results.
  • File type support – Mach-O support.
  • Customizable – you can set some network connectivity options but otherwise very limited.
  • Cost – depends on the bundle you buy but in general cheaper than Tria.ge. A car? Yes, but not something Jon Voight would drive.
  • X-factor – bundled into various CrowdStrike offerings.

In summary it doesn’t provide much options. The static analysis will likely be the one that could detect malicious stuff but feels more like a solution that can detect very basic and already known Mach-O malware samples.

Joe Sandbox

Joe Sandbox is one of the most known malware sandbox providers around there. It’s also one of the most expensive ones. In addition to providing a cloud-based sandboxing solution, they provide various products related to malware triage, tooling integrations, and SOAR automation.

  • MacOS version & architecture support – the most impressive offerings. OS versions from 10.14 to 13, and both architectures. Apple Silicon for paying customers is provided through physical Apple devices with Arm architecture.
  • Ease of use – arguably a bit more complex than preceding ones as it offers more options to choose to configure the run. Meant for users who are a bit more familiar with malware analysis.
  • Report – report available in the cloud portal in various formats.
  • File type support – wide variety, depending on the software installed on the machine.
  • Customizable – exact details couldn’t be identified but likely pretty good.
  • Cost – I can buy a car.
  • X-factor – most extensive support for macOS seen so far.

Joe Sandbox seems like a very nice solution. Unfortunately it is also very expensive and trying for a trial with them wasn’t fruitful.

VirusTotal

VirusTotal was launched in June 2004 by a small Spanish company Hipasec Sistemas. It provided a website to scan files and sites to determine whether they are safe or not. As it became one of the go-to places for people wanting to scan suspicious files and sites, it has grown to a solution offering a variety of ways to hunt and analyze threats.

  • MacOS version & architecture support – full offerings unknown, but 11.6 and 13 advertised in an in-house-sandboxes document. They seem to cover both architectures as well.
  • Ease of use – dynamic analysis option seems easy, submit and forget.
  • Report – report available in the cloud portal in various formats.
  • File type support – MachO, DMG, PKG,  ISO, shell scripts, apple script, Zipped APP (more limited for arm architecture: MachO, DMG, PKG).
  • Customizable – not available (or if Enterprise license/Premium API offers something, then that fact was not identified from the documentation).
  • Cost – I can buy a car. And a house.
  • X-factor – integration with VT and its offerings.

VirusTotal is an awesome solution. Unfortunately you also have to have an awesome bank account to use it. Or an awesome brain as they do offer some discount access to academics (not sure which features exactly but a very nice initiative).

Honorable mentions

Cuckoo/CAPEv2: the legendary open-source Cuckoo sandbox was my first experience with sandboxing and with cleaning up the results from noise. One of the reasons I am still interested in the concept and idea of sandboxing. Shout-out to mac-a-mal as well. Unfortunately Cuckoo was retired. CAPEv2 is also mentioned because although I haven’t tested it myself, the project is derived from Cuckoo v1. Hopefully we get a chance to give the solution a try.

esfriend: esfriend is a minimal malware analysis sandbox for macOS. Not actively maintained anymore (last update in February 2023). One of the best options to setup a personal malware analysis sandboxes for Apple Silicon devices or to take inspiration while developing your own sandbox. It requires a significant amount of engineering to get working and even development effort to get some features to function properly in the versions of macOS after February 2023.

Any.run: they don’t have a MacOS option but the features they have for Windows sandboxing are pretty great.

This is why

So summarizing the reasons we develop SiliconBox:

  1. We wanted to run latest samples on latest Macbooks. Switching out a Macbook for an employee (IDC sees big enterprise shift to Macs over next 12 months) should be done every 2-3 years. Having a sandbox with Intel architecture and running Catalina does not instill confidence.
  2. We don’t want to upload our samples to the public cloud. We might not even want to upload artifacts to a private cloud.
  3. Education and training options for MacOS malware analysis and forensics is not keeping up with the proliferation of MacOS malware – to quote the legendary Objective See: “And yes, though I make this claim annually, it held especially true this year, as the number of new macOS malware specimens increased roughly 100% over last year!“.
  4. Cost efficient – one physical Macbook will last 3 years. Paying for the solutions covered for 3 years – oh, how many cars… And Macbooks! And a house!
  5. We like control – configuring the Macbook with custom options, setting necessary security hardening (all off or fully amped up), adding vulnerable apps, stuff leaking creds, interaction with the sample – we want it all.
  6. And like mentioned at the beginning, we thought it could be fun.

If you enjoyed the article and would be interested to discuss more, feel free to contact us via info@maecers.ee.


Leave a Reply

Your email address will not be published. Required fields are marked *