Windows 10 News and info | Forum
March 09, 2021, Loading... *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: This is a clean Ad-free Forum and protected by StopForumSpam, Project Honeypot, Botscout and AbuseIPDB | This forum does not use audio ads, popups, or other annoyances. New member registration currently disabled.
 
  Website   Home   Windows 8 Website GDPR Help Login Register  
By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy.
Pages: [1]
  Print  
Share this topic on Del.icio.usShare this topic on DiggShare this topic on FacebookShare this topic on GoogleShare this topic on MySpaceShare this topic on RedditShare this topic on StumbleUponShare this topic on TechnoratiShare this topic on TwitterShare this topic on YahooShare this topic on Google buzz
Author Topic: First Apple Silicon optimized malware discovered in the wild  (Read 10 times)
javajolt
Administrator
Hero Member
*****
Offline Offline

Gender: Male
United States United States

Posts: 32288


I Do Windows


WWW Email
« on: February 18, 2021, 01:07:04 PM »
ReplyReply

The first Apple Silicon Macs have been out for just a few months and a good portion of popular apps have been updated with native support for the M1 MacBook Air, Pro, and Mac mini. Not far behind, what looks like the first malware that’s been optimized for Apple Silicon has been found in the wild.

The discovery was made by security researcher and founder of Objective-See, Patrick Wardle. In a highly detailed deconstruction, Patrick shared how he went about finding the new Apple Silicon specific malware and why this matters.

Quote
As I was working on rebuilding my tools to achieve native M1 compatibility, I pondered the possibility that malware writers were also spending their time in a similar manner. At the end of the day, malware is simply software (albeit malicious), so I figured it would make sense that (eventually) we’d see malware built to execute natively on Apple new M1 systems.

Before going off hunting for native M1 malware, we need have to answer the question, “How can we determine if a program was compiled natively for M1?” Well, in short, it will contain arm64 code! OK, and how do we ascertain this?

One simple way is via the macOS’s built-in file tool (or lipo -archs). Using this tool, we can examine a binary to see if it contains compiled arm64 code.


Patrick ended up using a free researcher account with VirusTotal to start his hunt. An important aspect to find if there was any malware truly optimized for Apple Silicon was to weed out universal apps that are actually iOS binaries.

After narrowing things down, Patrick found “GoSearch22” as an interesting find.



After passing a few more checks, Patrick was able to confirm this is malware optimized for M1 Macs

Quote
Hooray, so we’ve succeeding in finding a macOS program containing native M1 (arm64) code …that is detected as malicious! This confirms malware/adware authors are indeed working to ensure their malicious creations are natively compatible with Apple’s latest hardware. 🥲

It is also important to note that GoSearch22 was indeed signed with an Apple developer ID (hongsheng yan), on November 23rd, 2020:


Patrick notes that Apple has revoked the certificate at this point so it’s not known if Apple notarized the code. But even so…

Quote
What we do know is as this binary was detected in the wild (and submitted by a user via an Objective-See tool) …so whether it was notarized or not, macOS users were infected.


With further digging, Patrick was able to learn that the GoSearch22 Apple Silicon optimized malware is a variation on the “prevalent, yet rather insidious, ‘Pirrit’ adware.” And specifically this new instance looks like it aims to “persist a launch agent” and “install itself as a malicious Safari extension.”

Even more notably, GoSearch22 optimized for Apple Silicon first surfaced on December 27, just weeks after the first M1 Macs were made available. And Patrick notes a user actually submitted it to VirusTotal with one of Objective-See’s tools.

Why it’s significant

In conclusion, Patrick shares a few thoughts on why Apple Silicon optimized malware matters. First, it’s real-world proof of how fast malicious code is evolving in response to new hardware and software from Apple.

But beyond that is the more important realization that current tools may not be up to the task of defending against arm64 macOS-focused malware:

Quote
Secondly, and more worrisomely, (static) analysis tools or anti-virus engines may struggle with arm64 binaries.


Check out the full technical post from Patrick on Objective-See here.

source
Logged


Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2017, Simple Machines

Google visited last this page February 21, 2021, 08:56:54 PM