Not Lost in Translation: Rosetta 2 Artifacts in macOS Intrusions.
Not Lost in Translation: Rosetta 2 Artifacts in macOS Intrusions.
cloud.google.com Not Lost in Translation: Rosetta 2 Artifacts in macOS Intrusions | Google Cloud Blog
Guidance for investigating macOS intrusions where sophisticated threat actors are taking steps to hide their activity.
- Rosetta 2 is Apple's translation technology for running x86-64 binaries on Apple Silicon (ARM64) macOS systems.
- Rosetta 2 translation creates a cache of Ahead-Of-Time (AOT) files that can serve as valuable forensic artifacts.
- Mandiant has observed sophisticated threat actors leveraging x86-64 compiled macOS malware, likely due to broader compatibility and relaxed execution policies compared to ARM64 binaries.
- Analysis of AOT files, combined with FSEvents and Unified Logs (with a custom profile), can assist in investigating macOS intrusions.