If you’d rather skip straight to the technical details, here’s the blog post explaining how it all works.

This post is the high-level story of how this technique was found, in which the story makes the thrilling transition to first-person.

First things first: If you’re reading this, we somehow got away with calling it “Icarus Labs”.

I’m writing this because I realised the techniques for how we do research are sometimes just as valuable as the research itself.

But that’s me saying this now, on the other side of my mad scientist moment. The time has now come for a gratuitous and ultimately superfluous flashback to how it all started….

Playing hide-and-seek on someone’s computer for a long time

Okay I think the flashback is working.

One day, my teammate asked me what I thought it would take to hack a computer, and then keep it hacked for a long time, like a year.

The goal was to install malware, and keep it there. By “malware”, I mean “remote access software”: You can control their computer from your computer. This is what attackers want because they can download secret files, turn things on and off, and generally do anything you can do with your computer.

A year is…. a long time to hide on someone else’s computer, by my standards. We’d need to make sure that the malware didn’t obviously stand out, make sure it didn’t crash the user’s computer, and make sure it didn’t get removed when the computer was rebooted, or had a system update.

I was thinking we probably weren’t going to get away with using a technique for hiding that anyone could just Google. What if, during that year, someone decided to just… check in all the common hiding places? Those kind of rare events become much more likely if they have a whole year to happen.

So, I realised my best shot was to try and find a new way of hiding, that nobody’s seen before. It’s hard to find something if you don’t know what it looks like.

Hmmm, where should I look for a new technique?

The ways of persisting (keeping your malware running, even if the computer restarts/updates/etc.) on macOS that I knew about were pretty basic. The current state of the art is to use a LaunchAgent (the macOS equivalent of a cronjob/recurring task) to automatically run your malware whenever the computer starts up.

I realised everyone‘s trying to persist on macOS, so it’s hard to find something that nobody has tried yet. But, people’s computers don’t actually run plain, fresh macOS, like they’re straight out of the Apple store. They install all this extra stuff to get work done, especially if they’re software developers. Why, they often install, at a minimum, things like Homebrew, Docker, iTerm2 etc.. These apps have much less security review than macOS itself, and are developer tools, so even more likely to trade off security for more powerful features.

There are many legit apps that want to do the task: “run a program, and keep it running”. I was hoping to find a way to use one of these apps in a legitimate way (i.e. not by finding and exploiting a bug) because, well, it’s already a feature. If I were an attacker, just hypothetically, I’d love for my persistence method to be a legit feature, since it would blend in nicely, and be less likely than a bug to be removed in a future update.

It seemed like the best place to persist would be in some specific software/configuration of the machine, rather than in the OS itself. Of course, this is a flexibility tradeoff: You don’t know what software is going to be on the target machine when you get to it, so you can’t guarantee that your method will work in advance. We make this tradeoff with operating systems all the time (e.g. preparing malware that only runs on Windows, or only on Linux), so I decided to try and trade off even more flexibility for a better persistence method.

Which software seems like a good target?

“What’s some software that every developer has on macOS?”, I thought. Ah, Docker, Homebrew, maybe VSCode, or iTerm2? Which of those sound like they’d be good places to hide malware? Well, which of them execute code? Actually, all of them execute code, and all of them sound like pretty good places to hide to me. But, I tried Docker first, because I knew it had a lot of features, could access the whole machine, open ports, and seemed just a little too difficult to use in a safe enough way.

The bottom line

Anyway, this has been a rambly way of dancing around the fact that I ultimately stumbled on this techique by Googling “docker docs” and Cmd+F’ing the page for “exec”.