Posted on February 19, 2021 at 11:42 AM
Apple’s Mac is generally considered safer than Windows when it comes to hacking incidences. However, the number of cases in the latter has been steadily rising for the past few years.
Hackers are increasingly looking to explore any vulnerability in the Mac system, and a recent incident has been reported by security researchers.
The researchers found the new malware, the first of its kind, on Apple’s new M1 processor.
The M1-based chipset was introduced by Apple on some of its top products, including Mac Mini, MacBook Air, and the new MacBook Pro.
Threat actors intensify efforts on Mac
Intel was able to integrate some new features into its chipset after transiting from Intel’s x86 architecture to the new ARM.
But as Apple is busy planning how to make its software secure, malware makers are also planning how to circumvent the new features.
There are some ransomware and adware mainly designed to infiltrate Mac systems, as threat actors are looking to bypass Apple’s latest security protocols.
Patrick Wardle, Mac security researcher, published his discovery on Wednesday detailing a Safari malware extension initially designed to run on Intel’s X86 chips.
He also stated that the malware extension, called GoSearch22, is part of the infamous Pirrit Mac adware family.
Wardle also said it’s the first time the malware has been discovered. “As far as I know, this is the first time we’ve seen this,” he said.
Malware authors have evolved and adapted to stay in touch with the latest software and hardware from Apple.
Security analysts at Red Canary revealed they are also investigating another native M1 malware that seems different from the malware discovered by Wardle.
Wardle’s report revealed the malware’s easy adaptation and recompilation to run secretly on the M1 chip.
The malware can disguise as a genuine Safari browser extension. While falsely working as an extension, it simultaneously gathers data and sends out a large number of popups and banners to link to malicious sites.
The threat actors even signed the GoSearch22 malware with an Apple developer ID, although its license has since been revoked.
Security researchers asked to use a proactive approach
Wardle also commented that the malware detected on the M! is still in its infancy stage and may be developed further to make it more potent and devastating.
He said the malware has not been fully observed yet to know its broader capabilities. As a result, it’s not possible to detect and delete them using antivirus scanners and defensive tools.
Since Apple’s ARM chips will soon replace the older chips on Mac processors completely, malware authors have eventually started writing codes for them.
When asked for comment about the malware situation, Apple declined to give comments.
Thomas Reed, a security researcher at Malwarebytes, also corroborated Wardle’s statement, adding that there hasn’t been any record of the M1 malware before until now.
He also stated that security researchers should use a proactive approach when dealing with the native M1 malware because the malware has already come to stay.
Anti-analysis feature found on the malware extension
Wardle also said the Safari extension has some anti-analysis features, which try to circumvent any debugging tools.
He also said the detection of the M1 malware version using the VirusTotal scanner is a lot more difficult compared to the previous x86-based version.
“Certain defensive tools like antivirus engines struggle to process this ‘new’ binary file format,” he said.
The Red Canary researchers revealed that the lack of quick detection is because security scanners usually take a little time to gather information about a new malware strain. It’s only when they have gathered enough information before they can detect the malware.
It’s worrying to see malware make the rapid transition from Intel to M1 since security tools are not yet ready for the malware. Since the threats have not been fully observed, the security community does not have enough tools to detect the threats. This is why they are so dangerous, as the malware can stay hidden for a long time while causing havoc.
A Red Canary intelligence analyst Tony Lambert also stated that it can be a delicate process to add detection features for new platforms such as M1.