March 9, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Lumma Stealer Malware aka LummaC – Active IOCs
March 8, 2025Lumma Stealer Malware aka LummaC – Active IOCs
March 8, 2025
Severity
High
Analysis Summary
Advanced threat actors increasingly exploit Apple’s Rosetta 2 translation technology to execute x86-64 malware on Apple Silicon devices, bypassing execution policies and leveraging architectural differences between Intel and ARM64 processors. When an x86-64 binary runs via Rosetta 2, the system generates an ahead-of-time (AOT) compiled file stored in /var/db/oah/, creating forensic artifacts that persist even if attackers delete the original payload. Research highlights that state-sponsored groups, including DPRK-affiliated actors, use this approach to circumvent stricter ARM64 code signing requirements, deploying self-signed x86-64 malware that faces fewer execution restrictions. Attackers also utilize universal binaries with both x86-64 and ARM64 slices, ensuring compatibility across architectures while leaving behind forensic trails in AOT cache, Unified Logs, and FSEvents.
AOT files play a crucial role in forensic investigations by preserving timestamped execution records and partial code structures, even after malware deletion. Attackers have been observed executing system utilities like sudo, chmod, and cat via Rosetta 2, generating activity logs that security teams can analyze. However, while AOT files retain valuable metadata, they lack static data such as embedded configurations or network indicators, limiting full malware reconstruction. Detection methodologies rely on correlating AOT file timestamps, monitoring FSEvents for .in_progress to .aot transitions, and using custom Unified Log profiles to unmask private fields in oahd logs. These forensic techniques help investigators trace malicious execution chains, even when adversaries attempt to erase evidence.
To mitigate these threats, organizations should enforce System Integrity Protection (SIP) to prevent tampering with Rosetta 2’s cache and implement proactive monitoring of FSEvents and AOT file hashes to detect anomalies. Periodic audits of AOT files against known-good translations can help identify tampered or unauthorized binaries. As Apple gradually phases out Intel support, stricter ARM64 code signing requirements may limit these attacks, but researcher, warns x86-64 malware will remain a persistent risk due to legacy software dependencies. Security teams must prioritize forensic artifact collection and leverage Rosetta 2’s execution traces to enhance macOS threat detection in an evolving landscape of cross-architecture attacks.
Impact
- Sensitive Data Theft
- Security Bypass
- Code Execution
Remediation
- Prevents unauthorized access to Rosetta 2’s cache directory, reducing the risk of malware persistence.
- Track .in_progress ? .aot file transitions in /var/db/oah/ to detect unauthorized binary execution.
- Compare SHA-256 hashes of cached AOT files against known-good Rosetta 2 translations to identify tampered binaries.
- Unmask private fields in oahd logs to reveal hidden execution paths and suspicious activity.
- Implement application whitelisting to block unauthorized Rosetta 2 translations.
- Ensure security tools monitor AOT file activity and detect suspicious universal binary execution.
- Adapt detection rules as Apple tightens ARM64 code signing requirements to stay ahead of evolving threats.