Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

6/30/2021
04:10 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Attackers Already Unleashing Malware for Apple macOS M1 Chip

Apple security expert Patrick Wardle found that some macOS malware written for the new M1 processor can bypass anti-malware tools.

It was only a matter of time. Apple Macs are growing in popularity in the enterprise - as is the number of malware variants targeting macOS. But the much-anticipated arrival of Apple's new system-on-a-chip, the M1, has spawned a new generation of macOS-specific malware that anti-malware tools, threat hunters, and researchers must quickly learn to spot and, ultimately, thwart.

Most macOs malware traditionally has been repurposed from Windows malware variants. But the pandemic's pivot to work-from-home sent more Macs to the enterprise as employees set up home offices (some with home Mac devices), making them a more lucrative target for attackers going after businesses.

Mac security expert Patrick Wardle has already seen increasing numbers of malware variants written specifically for the M1 platform, Apple's new ARM64-based microprocessor. M1 boasts faster and more efficient processing, graphics, longer battery life, and is now running in its new generation of Macs and the iPad Pro. It also comes with some new baked-in security features, including one that helps protect the machine from remote exploitation, as well as physical access protection.

Even so, Wardle found that new macOs malware can slip by many anti-malware tools. He will demonstrate next month in a talk at Black Hat USA in Las Vegas some techniques for threat hunters and researchers to spot these new malware variants, including understanding native M1 code and reverse-engineering code written for the processor.

"It's no surprise" malware is arriving that targets Apple's M1 systems, says Wardle, the founder of Objective-See, whose career includes stints at the National Security Agency and NASA. "As attackers evolve and change their ways, we as malware analysts and security researchers need to stay abreast of that as well."

Wardle will share what he learned from reverse-engineering and studying M1-specific malware samples: "How we can hunt it and protect systems from it, and how we can reverse-engineer and analyze it," he says.

recent Malwarebytes report shows Windows malware detections dropping 24% among business users, while increasing 31% for Mac business users. 

About half of all macOS malware in 2020 were variants that started on Windows or Linux and had been ported to macOS, including nation-state attack code and adware, the most pervasive Mac threat to date, Wardle notes.

Wardle found in his research that when he split out the binaries for macOS malware, one built for the Intel-based Mac platform and the other for the M1-based platform, anti-malware systems more successfully detected the malware aimed at the Intel platform than the macOS malware aimed at the M1 platform - even though the binaries are "logically the same," he says. There was a 10% drop in their detection rate for the M1 malware.

That's a sign that existing antivirus signatures tend to be created only for the Intel variant of the macOS malware, not the M1 variant, he notes. Detections instead should also blend in behavior-based technology since static analysis alone can fail.

For malware analysts and threat hunters, it's a matter of honing their skills to the new Apple silicon, he says. 

"I want to empower Mac analysts, red teams, and anyone in cybersecurity," he says, with reverse-engineering skills and an understanding of the ARM64 instruction set.

Also important, Wardle says, is understanding that "the M1 system actually does significantly improve security at the hardware level, but it's transparent to the everyday user," Wardle says. And baking security features into hardware is "the best place," he says.

Even so, there's a learning curve to detect, analyze, and block the new M1-targeted malware, as well as the repurposed variants out there. 

"Just make sure your security posture has parity between Windows and macOS. MacOS is just as vulnerable in the same arena: Don't assume Macs are more secure," he warns.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3454
PUBLISHED: 2021-10-19
Truncated L2CAP K-frame causes assertion failure. Zephyr versions >= 2.4.0, >= v.2.50 contain Improper Handling of Length Parameter Inconsistency (CWE-130), Reachable Assertion (CWE-617). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-fx88-6c29-...
CVE-2021-3455
PUBLISHED: 2021-10-19
Disconnecting L2CAP channel right after invalid ATT request leads freeze. Zephyr versions >= 2.4.0, >= 2.5.0 contain Use After Free (CWE-416). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-7g38-3x9v-v7vp
CVE-2021-41150
PUBLISHED: 2021-10-19
Tough provides a set of Rust libraries and tools for using and generating the update framework (TUF) repositories. The tough library, prior to 0.12.0, does not properly sanitize delegated role names when caching a repository, or when loading a repository from the filesystem. When the repository is c...
CVE-2021-31378
PUBLISHED: 2021-10-19
In broadband environments, including but not limited to Enhanced Subscriber Management, (CHAP, PPP, DHCP, etc.), on Juniper Networks Junos OS devices where RADIUS servers are configured for managing subscriber access and a subscriber is logged in and then requests to logout, the subscriber may be fo...
CVE-2021-31379
PUBLISHED: 2021-10-19
An Incorrect Behavior Order vulnerability in the MAP-E automatic tunneling mechanism of Juniper Networks Junos OS allows an attacker to send certain malformed IPv4 or IPv6 packets to cause a Denial of Service (DoS) to the PFE on the device which is disabled as a result of the processing of these pac...