Mac Malware Developers Designed to Run on Devices Powered by Apple’s M1 Chip


A growing number of Mac malware designers are developing variants that are explicitly designed to run on Apple’s M1 chip-based computers.

The first malware developed specifically for systems with the arm64 CPU architecture used by the M1 was apparently created in December 2020, after Apple released its M1 system-on-chip in November 2020. This was a version of Pirrit, an adware application that has been around for quite some time.

A few days after this Pirrit variant was discovered, controlled detection and response firm Red Canary revealed the discovery of a mysterious piece of Mac malware that had infected tens of thousands of computers all over the world. Silver Sparrow was a malware variant that was specifically developed for M1 systems.

On Friday, Kaspersky Lab announced that it, too, had discovered malware with a variant compiled for M1 chips, specifically a variant of the malware known as XCSSET.

XCSSET is a mysterious piece of malware that was first discovered in August 2020 by Trend Micro and Mac security firm Intego. It does not seem to be related to any identified threat group or operation, but the majority of infections were discovered in China and India at the time.

The malware is intended to allow its user to carry out ransomware attacks (encrypt files and view a ransom note) and steal data from infected computers, including data associated with Evernote, Skype, Notes, QQ, WeChat, and Telegram apps.

It may even use universal cross-site scripting (UXSS) attacks to insert arbitrary JavaScript code into the victim’s favourite websites. This enables it to make changes to websites, such as replacing cryptocurrency addresses and phishing credentials and credit card details.

XCSSET is distributed by injecting code into Xcode projects, Apple’s integrated development environment. When the mission is finished, the payload is executed.

An XCSSET sample compiled for the arm64 architecture has been discovered by Kaspersky. This sample was submitted to the VirusTotal malware analysis service on February 24, indicating that the campaign is still active, according to the company’s researchers.

According to Kaspersky, Mac malware is often distributed in the Mach-O format, which contains malicious code compiled for multiple architectures, with the code corresponding to that architecture being executed depending on the type of computer the malware lands on.

In a blog post, Kaspersky researchers wrote, “Apple has definitely pushed its performance and energy saving limits on Mac computers with the latest M1 chip, but malware developers kept an eye on those developments and quickly adapted their executables to Apple Silicon by porting the code to the ARM64 architecture.”

“We have observed numerous attempts to port executables not only among standard adware samples like Pirrit or Bnodlero samples, but also among malicious packages like the Silver Sparrow threat and downloadable malicious modules from XCSSET,” they added. This would inevitably inspire other malware writers to start adapting their code to run on Apple M1 processors.”

Jennifer Thomas
Jennifer Thomas is the Co-founder and Chief Business Development Officer at Cybers Guards. Prior to that, She was responsible for leading its Cyber Security Practice and Cyber Security Operations Center, which provided managed security services.