Back to main page

Contents

macOS sandbox detection methods
1. Hardware model detection method
2. Check if hyperthreading is enabled
3. Memory size detection method
4. I/O Kit Registry detection method
5. Boot ROM Version detection method
6. Check if System Integrity Protection is enabled
Signature recommendations
Countermeasures


macOS sandbox detection methods

Most macOS-specific methods for sandbox and virtual environment detection are based on using shell commands such as “sysctl” and “ioreg”. Instead of providing code sample blocks, we show the commands and their arguments. Unfortunately, we can’t collect command outputs for various hypervisors due to Apple software licensing policy. Therefore, we compare the command outputs for physical and virtual machines when possible.


1. Hardware model detection method

The command used:

sysctl -n hw.model

If running on native Apple hardware, the returned value contains the model name of the hardware:

$ sysctl -n hw.model
Macmini8,1

On virtualized hardware, the value may contain the hypervisor name:

$ sysctl -n hw.model
VMware7,0

This technique was seen in the MacRansom malware. If the command output doesn't contain the "Mac" substring, the malware considers that it is running in a virtual machine.


2. Check if hyperthreading is enabled

Most Apple hardware (MacBook, Mac mini) released before 2018 came with hyperthreading enabled. This means that the number of physical cores is equal to half the of logical cores. However, some hypervisors don’t provide an ability to change the number of logical cores, which is always equal to the number of physical cores.

The command used:

echo $((`sysctl -n hw.logicalcpu`/`sysctl -n hw.physicalcpu`))

On physical hardware, the output value of the command must be equal to "2". This techinique was seen in the MacRansom malware.

We should note that new hardware comes with hyperthreading disabled, for example, Mac mini with 6‑core Intel Core i7 CPU. Therefore, this method should be considered outdated.


3. Memory size detection method

This method is similar to the memory size detection method used for PC. When running several virtual machines, each VM is allocated a small amount of RAM, whereas Apple physical hardware usually have more than 4 Gb RAM.

The command used:

sysctl -n hw.memsize

The command returns the RAM size in bytes, for example: 17179869184.

4. I/O Kit Registry detection method

There are several ways in which virtual machine can be detected using the I/O Kit Registry.


Checking the "IOPlatformExpertDevice" registry class

The command used:

ioreg -rd1 -c IOPlatformExpertDevice

The following fields of the IOPlatformExpertDevice class can be checked in order to detect a virtual machine:

Field Physical hardware example value  Virtual machine example value  VM detection rule 
IOPlatformSerialNumber "C07T40BYG1J2" "0" Equal to "0"
board-id <"Mac-87C4F04823D6BACF"> <"VirtualBox"> Contains "VirtualBox", "VMware", etc.
manufacturer <"Apple Inc."> <"innotek GmbH"> Doesn't contain "Apple"


Checking USB device vendor names

The commands used:

ioreg -rd1 -c IOUSBHostDevice | grep "USB Vendor Name"

Sample output on native Apple hardware:

$ ioreg -rd1 -c IOUSBHostDevice | grep "USB Vendor Name"
    "USB Vendor Name" = "Apple Inc."
    "USB Vendor Name" = "Apple Inc."
    "USB Vendor Name" = "Apple, Inc."

On virtualized hardware, the value may contain the hypervisor name:

$ ioreg -rd1 -c IOUSBHostDevice | grep "USB Vendor Name"
    "USB Vendor Name" = "VirtualBox"
    "USB Vendor Name" = "VirtualBox"

A virtual machine can be detected by checking if the command output contains a hypervisor name, for example "VirtualBox", "VMware", etc.


Another option is to call the ioreg command with the “-l” option which makes it show properties for all objects. The output should be checked against known hypervisor names, for example:

ioreg -l | grep -i -c -e "virtualbox" -e "oracle" -e "vmware"

The above command counts the number of occurrences of various hypervisor names in the ioreg output. If the number of occurrences is greater than 0, the system is likely virtualized.


5. Boot ROM Version detection method

The command used:

system_profiler SPHardwareDataType | grep "Boot ROM Version"

If running on native Apple hardware, the returned value contains the letter code for the corresponding Apple product, for example, “MM” for Mac mini, “MBP” for MacBook Pro, “MBA” for MacBook Air:

$ system_profiler SPHardwareDataType | grep "Boot ROM Version"
        Boot ROM Version: MM71.0232.B00

If running on a virtual machine, the returned value may contain the hypervisor name:

$ system_profiler SPHardwareDataType | grep "Boot ROM Version"
        Boot ROM Version: VirtualBox

This method is implemented in OceanLotus malware, as shown below:

system_profiler SPHardwareDataType 2>/dev/null | awk '/Boot ROM Version/ {split($0, line, ":");printf("%s", line[2]);}' 2>/dev/null


6. Check if System Integrity Protection is enabled

The latest versions of macOS have the System Integrity Protection feature (SIP). If a sandbox uses a non-signed kernel extension for monitoring purposes the, SIP feature must be disabled to load this kind of kernel extension. Malware may check if the SIP is enabled.

The command used:

csrutil status

The command returns the SIP status, for example: “System Integrity Protection status: enabled.

Signature recommendations

There is a kind of trade-off between the number of detected evasion techniques and the false-positive rate. If we want to detect as many as possible attempts to use the evasion techniques, we should use signatures with a broad scope. If a process is created with one of the following command lines, this indicates an application is trying to use an evasion technique:

sysctl -n hw.model
sysctl -n hw.logicalcpu
sysctl -n hw.physicalcpu
sysctl -n hw.memsize
ioreg -rd1 -c IOPlatformExpertDevice
ioreg -rd1 -c IOUSBHostDevice
ioreg -l
system_profiler SPHardwareDataType
csrutil status

However, the commands mentioned above can be used both to perform evasion techniques and for system information gathering. To reduce the rate of false-positive detections, malware-specific signatures can be used, for example:

echo $((`sysctl -n hw.logicalcpu`/`sysctl -n hw.physicalcpu`))


Countermeasures

Apple software licensing policy doesn’t allow emulating macOS on hardware other than the original Apple hardware. It is also doesn’t not allow more than 2 virtual machines to run on one host machine. Therefore, we suggest using solutions such as DeepFreeze instead of virtualization. In addition, signed kernel extensions should be used.


Back to main page