Not Lost in Translation: Rosetta 2 Artifacts in macOS Intrusions.
(cloud.google.com)
from Tea@programming.dev to cybersecurity@infosec.pub on 03 Mar 15:38
https://programming.dev/post/26297722
from Tea@programming.dev to cybersecurity@infosec.pub on 03 Mar 15:38
https://programming.dev/post/26297722
- Rosetta 2 is Apple’s translation technology for running x86-64 binaries on Apple Silicon (ARM64) macOS systems.
- Rosetta 2 translation creates a cache of Ahead-Of-Time (AOT) files that can serve as valuable forensic artifacts.
- Mandiant has observed sophisticated threat actors leveraging x86-64 compiled macOS malware, likely due to broader compatibility and relaxed execution policies compared to ARM64 binaries.
- Analysis of AOT files, combined with FSEvents and Unified Logs (with a custom profile), can assist in investigating macOS intrusions.
threaded - newest