Arm’d & Dangerous: Analyzing arm64 Malware Targeting macOS

Patrick Wardle

Objective-See

Abstract:

Apple’s new M1 systems offer a myriad of benefits …for both macOS users, and unfortunately, to malware authors as well!

In this talk we detail the first malicious programs compiled to natively target Apple Silicon (M1/arm64), focusing on methods of analysis.

We’ll start with a few foundation topics, such methods of identifying native M1 code (which will aid us when hunting for M1 malware), as well as introductory arm64 reversing concepts.

With an uncovered corpus of malware compiled to natively run on M1 (and in some cases notarized by Apple!), we’ll spend the remainder of the talk demonstrating effective analysis techniques, including many specific to the analysis of arm64 code on macOS.

Armed with this information and analysis techniques, you’ll leave a proficient macOS M1 malware analyst!