A naukri.com initiative
Cloudblog
1M
336
Image Credit: Cloudblog
Not Lost in Translation: Rosetta 2 Artifacts in macOS Intrusions
- Rosetta 2 by Apple allows x86-64 binaries to run on ARM64 macOS systems, creating valuable forensic artifacts.
- Mandiant observed sophisticated threat actors using x86-64 macOS malware for broader compatibility and relaxed execution policies.
- Analysis of Rosetta 2 AOT files, FSEvents, and Unified Logs can aid in investigating macOS intrusions.
- The Rosetta 2 cache stores AOT files created when x86-64 binaries are executed, identifiable by UUID and timestamp.
- Sophisticated macOS malware variants compiled for x86-64 architecture have been detected by Mandiant over the past year.
- Unified Logs track AOT file activities in macOS, providing insights into translation and execution.
- FSEvents records historical execution of x86-64 binaries, complementing Rosetta 2 artifact analysis.
- AOT files offer forensic evidence of past execution on macOS, aiding in understanding attacker behavior.
- Attempts to poison AOT files in the Rosetta 2 cache could be a potential attack vector, though no instances have been seen yet.
- Utilizing various forensic artifacts like AOT files, Unified Logs, and FSEvents is crucial in investigating macOS intrusions.
Read Full Article
20 Likes
For uninterrupted reading, download the app