It is as professionals in the segment usually say - cybersecurity is an eternal cat and mouse race, with the “good guys” devising tactics to protect information and the “bad guys” finding even smarter ways to overcome these new barriers. The newest proof of this is that, it seems, cybercriminals are already programming specific viruses to target the M1 chip, launched by Apple.
The first member of the Apple Silicon project (which aims to remove x86 architecture processors from all Apple gadgets by self -made system-on-chips based on the ARM standard), the M1 was introduced at the very end of 2020, equipping the new generations of the MacBook Air, MacBook Pro and Mac mini. Powerful, the component represents a revolution in the company's history, but it also causes headaches for developers.
This is because programmers need to adapt their code so that apps and software can run properly in the new architecture - or use an emulator called Rosetta 2, which solves the situation with a certain “gambiarra”. The problem is that, like benign developers, digital miscreants have also started to adapt their malware to the SoC M1, representing a risk for the owners of these iGadgets.
Who made the discovery was none other than Patrick Wardle, a researcher famous for his obsession with finding threats and vulnerabilities in macOS. He identified a custom strain of GoSearch22 - a malicious extension for Safari that, inside, hides the Pirrit Mac adware. Once it has infected the system, it displays too many ads (often leading to malicious websites).
“This shows that malware authors are evolving and adapting to keep up with the latest Apple hardware and software. As far as I know, this is the first time we've seen it, ”explained Wardle. The expert also points out that GoSearch22 was signed as an Apple developer ID, which means that the criminal managed to register as a common developer. The certificate has already been revoked.
In an interview with WIRED, Thomas Reed, a researcher at Malwarebytes, said that such criminal action would be "inevitable", since it is not so difficult to adapt software for the M1. “Honestly, I'm not surprised that it happened first with Pirrit. This is one of the most active and old macOS adware families, and they are constantly changing to avoid detection, ”he says.
Too fast to act
Even more worrying is the fact that the customized strain for the M1 chip is more difficult to detect. Researchers often use the VirusTotal platform (a kind of central library with signatures of malware from various antivirus), and, according to Wardle, although the service can easily identify the version of GoSearch22 for x86 processors, there is a 15% drop in the detection of the updated edition.
“Certain defense tools, such as antivirus engines, go to great lengths to process this 'new' binary file format. They can easily detect the Intel x86 version, but have failed to detect the ARM M1 version, although the code is logically identical, ”explains Wardle. This means that, in practice, the antivirus installed on your Mac will also have difficulties in identifying this new malware.
For Tony Lambert, intelligence analyst at Red Canary, this is a time of great attention, as the rapid transition from Intel architecture to ARM was very fast and “the security community does not yet have signatures to detect these threats”. Customizing antivirus to ensure a higher detection rate is also a complicated process, as any misinterpreted code can have the reverse effect.
“M1 is only a few months old and security vendors need to develop software carefully, as they cannot allow tools to disrupt customer systems. These security vendors tend to lag behind a bit until their software has a reasonable history of changes in new technologies,” concludes Lambert.
0 Comments