Apple released its first ARM-based processor M1 last year, and it was installed on MacBook and Mac mini. This new 5-nanometer chip that puts pressure on Intel and AMD was targeted by hackers from the beginning. A series of Pirrit adware that locked Macs for a long time existed on the Internet. Now, Patric Wardle, a Mac security researcher, has discovered that a native version of Pirrit that locks the new M1 processor has appeared on the Internet.
Compared with traditional x86 desktop and laptop CPUs, ARM CPUs have a completely different Instruction Set Architecture (ISA), which means that software designed for one ISA architecture cannot be used in another ISA without assistance. run. M1 Mac can run x86 software through a translation layer called Rosetta, but M1 native applications are obviously faster. This can be clearly seen from the performance comparison of Google Chrome translated by Rosetta and M1 native Chrome.
For a long time, Apple's Mac market share has been far less than that of PCs, which also saved fruit fans from malicious software. Ten years ago, the market rate of the macOS operating system was only 6.5%, and almost no malware would target it. But with the current market share of nearly 20%, it has naturally become the new favorite of malicious attackers. Although the current macOS malware ecosystem is still small, the subsequent bullish trend is worth watching.
Nowadays, malware authors have little motivation to lock M1 directly, because most of the existing macOS malware can run well on Macs equipped with M1 through Rosetta 2, and malware authors usually don’t care much about performance. After all, there is no cost. CPU cycles are available. But there are still some benefits to directly locking the new hardware of M1, because the more effective the malicious code is, the less likely it is that the owner of the infected computer will notice the attack, let alone wipe out the malicious software wholeheartedly.
M1 native malware confirmed that it has infected macOS users on a large scale
Wardle uses the researcher account of VirusTotal, a free online malware and URL scanner, to find examples of M1 native malware. After several tests, he finally found a Safari extension called GoSearch22. Use the Info. list file of this application Bundle to confirm that it is not an iOS application, but a macOS application.
The application was signed by Apple developer ID hongsheng_yan in November 2020, but we don't know if Apple has a notarization because Apple has revoked the certificate. With the revocation of the certificate, this version of GoSearch22 can no longer run on macOS unless the certificate author manages to sign it with another developer key. We can also speculate that this malware App did infect actual users of macOS on a large scale before the certificate was revoked, otherwise, it would never be submitted to VirusTotal at the beginning.
The M1 native version of Pirrit can evade detection and even obtain the highest root privileges of the Mac system
The M1 native malware discovered by Wardle triggered 24 separate malware detection engines, 7 of which matched the signatures of the Pirrit adware family. Pirrit is a long-lived malware family. It was rampant in the Windows environment at first and eventually ported to macOS. Researcher Amit Serper first published a study on the existence of macOS in 2016, and Serper published a famous follow-up study in 2017.
Once the user installs a variant of Pirrit Trojan, trouble will ensue (maybe a fake video player, PDF reader, or seemingly harmless Safari extension), and the user's default search engine will be changed to annoying Useless things, such as the user's web browsing status and usage rate will be tracked, or the web pages visited by the user are full of unwanted advertisements.
Not only that, but Pirrit also uses extremely mature malware techniques to keep it installed, avoid detection, and make life harder for people who try to "block" it. Pirrit will find and delete applications and browser extensions that want to block it, stay away from the application directory to avoid any attempts to find it, gain the highest root authority of the victim Mac system, and forcefully obfuscate its own code to detect and Analysis is more difficult.