Good old malware for the new Apple Silicon platform

[harlan4096]

Introduction

A short while ago, Apple released Mac computers with the new chip called Apple M1. The unexpected release was a milestone in the Apple hardware industry.

However, as technology evolves, we also observe a growing interest in the newly released platform from malware adversaries. This inevitably leads us to new malware samples compiled for the Apple Silicon platform. In this article, we are going to take a look at threats for Macs with the Apple M1 chip on board.

Also, we prepared a short F.A.Q. section at the end of the article for those who want to understand better the security risks of M1 malware. Let’s dive in.
XCSSET malwareLast year, a threat called XCSSET was discovered for the first time. It targets mainly Mac developers using a unique way of distribution: injecting a malicious payload into Xcode IDE projects on the victim’s Mac. This payload will be executed at the time of building project files in Xcode. XCSSET modules have numerous capabilities, such as:

• Reading and dumping Safari cookies,
  
• Injecting malicious JavaScript code into various websites,
  
• Stealing user files and information from applications, such as Notes, WeChat, Skype, Telegram, etc.,
  
• Encrypting user files.
  

All these various features, in combination with high stealth and an unusual way of distribution, make XCSSET a dangerous threat for Mac computers.

While exploring the various executable modules of XCSSET, we found out that some of them also contained samples compiled specially for new Apple Silicon chips. For example, a sample with the MD5 hash sum 914e49921c19fffd7443deee6ee161a4 contains two architectures: x86_64 and ARM64.

The first one corresponds to previous-generation, Intel-based Mac computers, but the second one is compiled for ARM64 architecture, which means that it can run on computers with the new Apple M1 chip. According to VirusTotal, this sample was first uploaded on 2021-02-24 21:06:05 and the original research report did not contain this hash or a module named “metald”, the name of the executable file. With this information on hand, we can assume that the XCSSET campaign is probably still ongoing. This leads us to the thought that more and more malware writers are actively recompiling their samples to have an opportunity to run on new Apple Silicon Macs natively.

Silver Sparrow threat

XCSSET is not the only family which has adapted to run natively on Apple Silicon. According to a RedCanary report, a new threat called Silver Sparrow has been identified. This threat introduces a new way for malware writers to abuse the default packaging functionality: instead of placing a malicious payload in preinstall or postinstall scripts, malware writers hid one in the Distribution XML file.

This payload uses JavaScript API to run bash commands in order to download a JSON configuration file.

And after successfully downloading that configuration file, the sample extracts a URL from the downloadURL field for the next download.

Also, an appropriate Launch Agent is created for persistent execution of the malicious sample.This JavaScript payload can be executed regardless of chip architecture, but in the package file with the MD5 hash sum fdd6fb2b1dfe07b0e57d4cbfef9c8149, there is a “fat” Mach-O containing two supported architectures (ARM64 and x86_64), as compared to the old package with the MD5 hash sum 30c9bc7d40454e501c358f77449071aa. This means that the malware actors are trying to expand their attack coverage by supporting a wider range of platforms.

Adware threats for the new platform

However, there are not just malware samples that can be launched on Apple Silicon. A known Mac malware researcher Patrick Wardle recently published a post covering Pirrit adware. Though it is an old and well-known adware family, it is still actively updated by their authors and new samples are encountered in the wild quite often.

These updates include:

• Anti-debug techniques such as using ptrace syscall with a PT_DENY_ATTACH flag,
  
• Control flow obfuscation techniques,
  
• Dynamic imports with dlsym calls to avoid static analysis,
  
• Virtual machine detection anti-analysis.
  

...

Continue Reading