Security researchers at Mandiant have discovered that sophisticated threat actors are increasingly using x86-64 compiled malware to target Apple Silicon (ARM64) systems, leaving behind valuable forensic evidence through Rosetta 2 translation artifacts.
Rosetta 2, Apple's translation technology introduced with macOS Big Sur in 2020, creates Ahead-Of-Time (AOT) files when translating x86-64 binaries to run on ARM64 architecture. These AOT files persist in the system's cache even after attackers delete the original malware, providing critical evidence for digital forensic investigations.
According to Mandiant's findings, threat actors specifically choose x86-64 architecture due to "broader compatibility and relaxed execution policies compared to ARM64 binaries."
The research notes that "macOS enforces stricter code signing requirements for ARM64 binaries," making unsigned ARM64 binaries more difficult to execute than their x86-64 counterparts running through Rosetta 2.
Rosetta 2 is Apple's translation technology for running x86-64 binaries on Apple Silicon (ARM64) macOS systems. The translation creates a cache of Ahead-Of-Time (AOT) files that can serve as valuable forensic artifacts.
The report highlights a particularly significant case involving North Korean (DPRK) threat actors in cryptocurrency heists.
Investigators found that even though attackers had deleted their POOLRAT macOS backdoor "within a few minutes of a cryptocurrency heist being perpetrated," the Rosetta 2 AOT files remained intact, protected by System Integrity Protection (SIP) and "the relative obscurity of this forensic artifact."
These AOT files are stored in a protected cache directory at /var/db/oah/<UUID>/ and are owned by the OAH Daemon user account.
 |
Rosetta 2 cache directory structure and contents |
The researchers found that by analyzing these AOT artifacts alongside FSEvents records and Unified Logs, they could reconstruct attacker activities even when the original malware was gone.
In one case, they recovered developer file paths and function names from an AOT file related to a malicious DPRK downloader that was otherwise unrecoverable.
Mandiant recommends that security professionals include Rosetta 2 AOT file analysis in their standard procedures when investigating macOS intrusions. While they acknowledge the theoretical risk of "AOT poisoning" if System Integrity Protection is disabled, they have not yet observed this technique in actual attacks.
The research was conducted across various macOS versions from 13.5 to 14.7.2, with the team noting that "future or previous versions of macOS and Rosetta 2 may behave differently."