Our research aims to shed light on the current state of Windows on ARM (WoA) rootkits.
Although we have yet to find Windows malware targeting the ARM (or ARM64 aka AARCH64) architecture, and more specifically rootkits are yet to be discovered for this platform, we know that the arms race has begun and its only a matter of time until a rootkit for WoA will emerge.
In our research we looked for ways to implement a rootkit using known mechanisms such as different hooking techniques and callback functions and developed a tool to detect rootkit infections on the WoA platform by looking for in-consistencies in critical kernel structures.
ARM64 architecture provides mobile devices with better battery life while maintaining great performance, and we believe that the future of mobile devices running Windows is in ARM. As WoA gains popularity among users, including those using Apple Silicon devices, it is essential to prepare for the inevitable emergence of rootkits.
Using our tool we hope to lay the groundwork for IR and malware analysts that would have to reverse engineer the malware of the future.