One of the arguments of the "makovodov" in favor of their system is that there is very little malicious software for it. And what we have has to be launched almost manually, bypassing all protection systems, so most malware for Mac is not dangerous. But macOS is becoming more and more popular, which means that attackers are becoming more active. Moreover, most macOS users have bank accounts and money on them. So they have something to take.
So, if earlier the share of MacOS was 6.5% (about 10 years ago), now it is already a fifth of the market, 20%. Accordingly, it makes sense to create malicious software, since MacOS has millions of users. This is what cybercriminals are doing now.
Moreover, Apple has released several systems based on the new M1 chip, so attackers began to actively study this chip and its capabilities. The first results have already appeared. Information security specialist Patrick Wardle has recently published the results of a study of a malicious extension for Safari, "sharpened" exclusively for M1. This extension is part of the Pirrit Mac family of Adware.
Apple M1, malware and users
As you know, ISA for ARM processors is very different from that of traditional x86 processors. First of all, this means the need to use an emulator to run x86 software on systems with an ARM processor. Apple developers, perfectly realizing the impossibility of mass migration of all software from x86 to M1, created the Rosetta 2 emulator .
Many native programs run a little faster under M1 than regular emulator software, but the difference is not so sensitive as to confuse the user.
But the cybercriminals who develop malware for M1 decidedthat native applications are also needed, because in this case the user will not even notice the time delay. Everything works quickly, the system does not slow down, which means that it is difficult to suspect the performance of third-party operations by your own computer.
What is this software and how was it discovered?
Information security specialist Patrick Wardle used the researcher's VirusTotal account to search for instances of M1-native malware. He executed this request:
type: macho tag: arm tag: 64bits tag: multi-arch tag: signed positives: 2 +
This means something like βApple signed multiarch executables that include 64-bit ARM code and have been seen at least two anti-virus systems ".
Wardle has done a fairly large-scale job of looking for M1 malware. He eventually found a Safari extension called GoSearch22. The Info.plist file of the app bundle showed that it was indeed a MacOS app (not iOS).
The malware was signed by developer ID hongsheng_yan in November 2020. The certificate has already been revoked, but it is not known exactly why Apple did it - it is possible that the company discovered illegal actions of the developer or the use of his certificate in the interests of attackers.
It can be assumed that the ID was revoked because the extension did help cybercriminals infecting victims' systems. Someone noticed the problem and company representatives took action.
So what does GoSearch22 do?
As mentioned above, this malware is a member of the Pirrit Mac family. This is a very "ancient" family, so to speak. Initially, its representatives worked under Windows, but then they were ported to Mac - for the first time this happened in 2017.
The detected malicious extension installed a Trojan that displays advertisements from cybercriminals. The entire page is literally clogged with ads. Plus the search page is replaced, a couple of some "bonuses" can be installed.
Pirrit is equipped with an anti-virus application bypass system, which helps the malware to covertly continue its dark business. Pirrit also looks for and removes apps and browser extensions that might interfere with it. Moreover, he seeks to obtain root access. The virus code is obfuscated to make life even more difficult for the user and information security specialists.
Without a doubt, in the near future we will see new copies of such software, native to the M1. GoSearch22 is just the beginning.
