Assessing the threat of Rosetta 2 on Apple Silicon devices

Abstract

In November 2020, Apple introduced a new architecture, Apple Silicon, that would power all new laptops and desktops. Based on ARM64 and with many custom features added by Apple, this marked a complete switch from the Intel-based systems that have powered Apple laptops and desktops for many years. With such a radical change, it was obvious that many existing digital forensics and incident response techniques would need to be re-evaluated on the platform. Similarly, several new additions to the operating system are interesting as potential abuse vectors for malware and malicious actors. In this paper, we document our effort to understand the largest threat surface unique to Apple Silicon devices. This feature, called Rosetta 2, allows 64-bit Intel applications and libraries to execute seamlessly on Apple Silicon. Rosetta 2 achieves this by translating Intel-specific code on the fly into functionally equivalent Apple Silicon instruction sequences. Through this feature, a significant number of existing applications can be executed without needing to be recompiled for Apple Silicon. Apple added this capability to ease the transition to Apple Silicon devices as not all legacy applications will be recompiled in a timely manner and some may not be ported at all. Such a capability piqued our research team's interest as there have been many malware samples created for Intel systems that were used to target individuals, corporations, and governments. Our goal was to discover which classes of existing malware samples and which offensive techniques remain functional via Rosetta 2. To accomplish this, we acquired a wide ranging set of macOS malware samples, executed them on Apple Silicon devices, and observed the results. We then documented the APIs abused by existing macOS malware and wrote proof-of-concept applications that mirrored these techniques. In this paper, we document the results of this research, including a discussion of the ease with which existing malicious applications and techniques seamlessly function through Rosetta 2.