More Details on Apple M1 Malware - ThreatWire
Added 2021-02-23 17:32:37 +0000 UTCBy Shannon Morse, ThreatWire
Shoutout to Dan from my Patreon Discord server for sending this story my way. Apple recently came out with their new MacBooks which feature the new Apple Silicon, called M1. And it didn’t take long for the first malware to be discovered that is optimized for this specific chip. Founder of Objective See, Patrick Wardle, made the discovery. He used VirusTotal to determine if any of his findings were actual legit iOS binaries, which of course there were plenty. He found one in particular called GoSearch22, which he confirmed was malware optimized for M1 macs. GoSearch22 was first written for Intel x86 chips but was recently ported to the new Arm-based M1 chips.
This was signed with an Apple developer ID, but Apple has revoked the certificate. Wardle explained this is a variant of the Pirrit adware, which first showed up in 2016 and pushes intrusive ads to users. If a user clicked the ad, it would download and install unwanted apps. The new GoSearch22 includes a persistent launch agent and installs as a malicious Safari extension. It also pushes intrusive ads to a user, with links to additional malware if a user clicked on it. It first appeared in the wild on November 23, and was uploaded to VirusTotal on December 27th with an Objective-See tool.
This is a great example of how quickly malware can be created for new chips, but it’s also worrisome since antivirus may not detect new malware optimized for Arm64 MacOS devices.
Apple also just updated its Platform Security documents, a page on its site dedicated to breaking down the concepts behind Apple’s ecosystem of devices and how its security works. It’s 200 pages long, but it explains how M1 chipsets offer hardware security, how their operating systems are set up, and goes into encryption and data protection. The document can be downloaded from its site, and even explains the secure enclave, encryption for iMessage including details about Blast Door security, which was recently introduced in iOS14, and more.
Support ThreatWire! https://www.patreon.com/threatwire
https://objective-see.com/blog/blog_0x62.html
https://9to5mac.com/2021/02/17/first-apple-silicon-optimized-malware/
https://threatpost.com/macos-malware-apple-m1-processor/164075/
https://support.apple.com/guide/security/welcome/web
https://threatpost.com/apple-2021-platform-security-guide/164094/
![CandidCrushTrample[CCT]](https://xaiju.com/istorage/34805.jpg)
