FOCUS MODE
EXTRACT IOC
Threat Research

Not Lost in Translation: Rosetta 2 Artifacts in macOS Intrusions

GoogleCloudIntel
Not Lost in Translation: Rosetta 2 Artifacts in macOS Intrusions
Rosetta 2, Apple’s translation technology, facilitates the execution of x86-64 binaries on ARM64 macOS systems. Threat actors exploit this capability to leverage advanced macOS malware, leaving behind valuable AOT cache files as forensic evidence. The analysis of these files, in conjunction with Unified Logs and FSEvents, is crucial in investigating macOS intrusions. Affected: macOS systems, cryptocurrency organizations

Keypoints :

  • Rosetta 2 allows x86-64 binaries to run on Apple Silicon (ARM64) macOS.
  • AOT files created by Rosetta 2 serve as essential forensic artifacts.
  • Sophisticated threat actors exploit x86-64 compiled macOS malware due to compatibility and lax execution policies.
  • AOT files, along with FSEvents and Unified Logs, help investigate intrusions on macOS.
  • Self-signed binaries are easier to execute under Rosetta 2 compared to ARM64 due to stricter code signing requirements.
  • AOT files persist until macOS system updates, after which they may be deleted and re-created with new UUIDs.
  • FSEvents can track the execution of binaries even when other logs are unavailable.
  • AOT files provide evidence of malware interaction and execution history.
  • Monitoring for indications of AOT poisoning may be vital during investigations.
  • Original binaries should be preferred for a complete understanding of malware functionality.

MITRE Techniques :

  • T1046: Network Service Discovery – Observed the use of universal binaries and certain processes to discover network services in the context of macOS system execution.
  • T1071: Application Layer Protocol – The malicious binary executed traditional network commands (ping, chmod, sudo) indicative of application layer protocol usage and subsequent commands execution.
  • T1005: Data from Local System – The AOT files generated during the execution of binaries serve as local data artifacts indicating the interaction between malware and the system.
  • T1080: Timestomp – Modification timestamps on AOT files can be used as evidence of malware execution times, correlating with other forensic data.

Indicator of Compromise :

  • [File Path] /var/db/oah/
  • [File Path] /var/db/oah//
  • [File Name] *.aot
  • [File Name] *.in_progress
  • [File Path] /Users/crown/Library/Developer/Xcode/DerivedData/DownAndMemload/


Full Story: https://cloud.google.com/blog/topics/threat-intelligence/rosetta2-artifacts-macos-intrusions/

Tags: EXPLOIT, APPLE, CLOUD, DISCOVERY, MACOS