Malware Analysis for ARM-based Unix-like Systems
Timoshchenko, Danila (2024)
2024
All rights reserved. This publication is copyrighted. You may download, display and print it for Your own personal use. Commercial use is prohibited.
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:amk-202404176753
https://urn.fi/URN:NBN:fi:amk-202404176753
Tiivistelmä
The goal of this thesis was to assess the current state of malware, developed and recompiled for
ARM-based Linux and MacOS systems.
In the thesis, the threat of malware for newer ARM-based systems is reviewed for both Linux and
MacOS. For analysis purposes, Ghidra was set-up using virtualised instance of MacOS as a
secure environment using UTM.
The common measure of protection MacOS and Linux systems were mentioned, the threat of
repurposed malicious code originally written for x86 architecture as well as Rosetta 2 being able
to run x86 architecture malware.
To research the malware, the source code of Mirai botnet was reviewed as an example for Linux
systems and their vulnerability to such attacks. For MacOS, the sample of GoSearch22 malware
was analysed using Ghidra. With GoSearch22 analysis, the attention was drawn towards its anti-
debugging behaviour as it utilised many techniques currently used to avoid research.
The thesis is finalised with the need for understanding low level programming, and obfuscation
techniques of malicious binaries for proper malware analysis. Taking the nature of the analysed
malware, some protection vectors of currently used systems are mentioned as well.
ARM-based Linux and MacOS systems.
In the thesis, the threat of malware for newer ARM-based systems is reviewed for both Linux and
MacOS. For analysis purposes, Ghidra was set-up using virtualised instance of MacOS as a
secure environment using UTM.
The common measure of protection MacOS and Linux systems were mentioned, the threat of
repurposed malicious code originally written for x86 architecture as well as Rosetta 2 being able
to run x86 architecture malware.
To research the malware, the source code of Mirai botnet was reviewed as an example for Linux
systems and their vulnerability to such attacks. For MacOS, the sample of GoSearch22 malware
was analysed using Ghidra. With GoSearch22 analysis, the attention was drawn towards its anti-
debugging behaviour as it utilised many techniques currently used to avoid research.
The thesis is finalised with the need for understanding low level programming, and obfuscation
techniques of malicious binaries for proper malware analysis. Taking the nature of the analysed
malware, some protection vectors of currently used systems are mentioned as well.