agsandrew - stock.adobe.com

Apple's M1 silicon brings new challenges for malware defenders

Noted security researcher Patrick Wardle told Black Hat 2021 attendees that catching malware attacks on new macOS systems requires learning the subtleties of ARM64 architecture.

Getting a grip on malware threats for the latest versions of the macOS will mean learning the inner-workings of Apple's M1 chip.

That's according to renowned macOS security researcher Patrick Wardle, who told attendees at the 2021 Black Hat conference that to properly break down and study Mac malware, it would be necessary to get a grasp on its ARM64 architecture.

First introduced last year, the M1 marks Apple's first foray into custom desktop chips since the ill-fated PowerPC and the first time the technology giant has gone entirely solo for a microprocessor. Since 2005, Mac desktop and laptop computers have used Intel x86 CPUs.

While high-level programming remains largely the same with the shift away from Intel, the M1's use of the ARM64 architecture means that the antimalware and security teams who rely on reverse engineering and other low-level code operations will need to learn the subtleties of an instruction set.

"It is inevitable that malware authors are going to recompile or as they're creating new malware, they are going to compile it to run natively," Wardle said. "It is something to be aware of, and we should be sure our antivirus signatures are architecturally agnostic."

Wardle explained that learning the ARM64 architecture is important for defenders and researchers in large part because it is the only way to catch popular evasion methods malware writers have adopted. While many samples now contain routines that check for things like antivirus software or VMs, a savvy defender versed in Assembly can spot those measures and forego them with breaks and other debugging tools.

Apple also has a role to play, Wardle noted. The researcher said one of the best tools to isolate and study malware, the use of VMs, is not yet possible on the ARM-based M1 Macs.

"This is due to the fact Apple has not released the virtualization APIs," Wardle explained. "Currently, the only solution is to have a separate M1 system to do your analysis."

Apple, fortunately, is slated to add those critical virtualization APIs in the upcoming macOS 12.

Next Steps

Beware of proxyware: Connection-sharing services pose major risks

Dig Deeper on Network security