logo

Arm'd and Dangerous

Conference:  BlackHat USA 2021

2021-08-05

Summary

The presentation discusses the identification and bypassing of anti-analysis logic in M1 malware, and provides foundational knowledge on the ARM 64 instruction set.
  • M1 malware is now present and authors will compile code to run natively on Apple silicon
  • New malware has been compiled to run natively on M1 systems
  • ARM 64 instruction set is foundational knowledge for analyzing M1 malware
  • Anti-analysis logic in M1 malware can be identified and bypassed using dynamic analysis tools
  • Virtual machine detection in M1 malware can also be bypassed using the same method
  • System integrity protection status is checked by M1 malware to detect analysis machines
  • Resources for learning more about ARM 64 and Mac malware are provided
The presenter explains how they were able to bypass anti-analysis logic in the M1 malware GoSearch22 by setting a breakpoint on a function call and examining the values of the registers. They were then able to skip over the call and bypass the anti-analysis logic. This allowed them to use dynamic analysis tools to analyze the malware.

Abstract

Apple's new M1 systems offer a myriad of benefits ...for both macOS users, and unfortunately, to malware authors as well.In this talk we detail the first malicious programs compiled to natively target Apple Silicon (M1/arm64), focusing on methods of analysis. We'll start with a few foundation topics, such as methods of identifying native M1 code (which will aid us when hunting for M1 malware), as well as introductory arm64 reversing concepts. With an uncovered corpus of malware compiled to natively run on M1 (and in some cases notarized by Apple!), we'll spend the remainder of the talk demonstrating effective analysis techniques, including many specific to the analysis of arm64 code on macOS. Armed with this information and analysis techniques, you'll leave a proficient macOS M1 malware analyst!

Materials:

Tags: