[ad_1]
The first Apple Silicon Macs have only been out for a few months, and a good chunk of popular apps have been updated with native support for the M1 MacBook Air, Pro, and Mac mini. Not far behind, what looks like the first malware optimized for Apple Silicon was found in the wild.
The discovery was made by security researcher and founder of Objective-See, Patrick Wardle. In a very detailed deconstruction, Patrick explained how he went about finding the new malware specific to Apple Silicon and why it was important.
As I worked on rebuilding my tools to achieve native M1 compatibility, I pondered the possibility that malware writers were spending their time similarly as well. Ultimately malware is just software (albeit malicious) so I thought it would make sense that we (eventually) see malware designed to run natively on newer M1 systems. from Apple.
Before we go looking for native M1 malware, we need to answer the question: “How can we tell if a program was natively compiled for M1?” In short, it will contain arm64 code! OK, and how can we verify this?
One easy way is to use macOS ‘built-in file tool (or lipo -archs). Using this tool, we can examine a binary to see if it contains compiled arm64 code.
Patrick ended up using a free researcher account with VirusTotal to start his hunt. An important aspect of whether there was malware that was actually optimized for Apple Silicon was to eliminate universal apps which are in fact iOS binaries.
After narrowing it down, Patrick found “GoSearch22” to be an interesting find.
After passing a few more checks, Patrick was able to confirm that this was malware optimized for Mac M1.
Hooray, so we managed to find a macOS program containing native M1 (arm64) code … which is detected as malicious! This confirms that malware / adware authors are indeed working to ensure that their malicious creations are natively compatible with the latest hardware from Apple. 🥲
It is also important to note that GoSearch22 was successfully signed with an Apple Developer ID (hongsheng yan) on November 23, 2020:
Patrick notes that Apple has revoked the certificate at this point, so it is not known whether Apple notarized the code. But all the same …
What we do know is that this binary was detected in the wild (and submitted by a user through an Objective-See tool) … so whether notarized or not, macOS users have been infected.
From further research, Patrick was able to learn that the malware optimized for Apple Silicon GoSearch22 is a variation of the popular, but rather insidious “Pirrit adware”. And more specifically, this new instance seems to aim to “keep a launch agent” and “install itself as a malicious Safari extension”.
Most notably, GoSearch22 optimized for Apple Silicon first appeared on December 27, just weeks after the release of the first Mac M1s. And Patrick notes that a user submitted it to VirusTotal with one of Objective-See’s tools.
Why it matters
In conclusion, Patrick shares some thoughts on why Apple Silicon Optimized Malware is important. First and foremost, it’s concrete evidence of how quickly malicious code evolves in response to new hardware and software from Apple.
But beyond that, there is the most important realization that today’s tools may not be up to the task of defending against macOS arm64-centric malware:
Second, and more worryingly, (static) scanning tools or anti-virus engines can have difficulty with arm64 binaries.
Check out Patrick’s full technical post on Objective-See here.
FTC: We use automatic income generating affiliate links. After.
Check out 9to5Mac on YouTube for more information on Apple:
[ad_2]
Source link