A previously undetected piece of malware found on nearly 30,000 Macs worldwide is sparking intrigue in security circles, and security researchers are still trying to understand exactly what it does and what purpose its self-destruct power serves.
Once an hour, infected Macs check a monitoring server to see if there are any new commands for the malware to run or binaries to run. So far, however, researchers have not observed a single payload on any of the infected 30,000 machines, leaving the ultimate target of the malware unknown. The lack of a final payload suggests that the malware may spring into action once an unknown condition is met.
Also curiously, the malware comes with a mechanism to completely remove itself, a capability typically reserved for high-stealth operations. So far, however, there are no signs that the self-destruct function has been used, raising the question of why the mechanism exists.
In addition to those questions, the malware stands out for a version that runs natively on the M1 chip that Apple introduced in November, making it only the second known piece of macOS malware to do so. The malicious binary is even more mysterious because it uses the macOS Installer JavaScript API to execute commands. That makes it difficult to analyze the contents of the installation package or the way that package uses the JavaScript commands.
The malware has been found in 153 countries with detections concentrated in the US, UK, Canada, France and Germany. Using Amazon Web Services and the Akamai network for content delivery ensures that the command infrastructure works reliably and also makes it more difficult to block the servers. Researchers at Red Canary, the security company that discovered the malware, are calling the malware Silver Sparrow.
Fairly serious threat
“While we have not yet seen Silver Sparrow deliver additional malicious payloads, the forward-looking M1 chip compatibility, global reach, relatively high infection rate and operational maturity suggest that Silver Sparrow poses a fairly serious threat, uniquely positioned to have a potentially impactful payload in the blink of an eye,” Red Canary researchers wrote in a blog published Friday. “Given these concerns, in the spirit of transparency, we wanted to share everything we know with the wider infosec industry sooner rather than later.”
Silver Sparrow comes in two versions: one containing a binary in mach object format compiled for Intel x86_64 processors and the other Mach-O binary for the M1. The image below provides a high-level overview of the two versions:
Red Canary
So far, researchers haven’t seen either binary do much of anything, prompting the researchers to refer to them as “bystander binaries.” Oddly enough, the x86_64 binary, when executed, returns the words “Hello World!” while the M1 binary reads “You did it!” The researchers suspect that the files are placeholders to give the installer something to distribute content outside of JavaScript execution. Apple has revoked the developer certificate for both binaries from bystanders.
Silver Sparrow is only the second piece of malware to contain code that runs natively on Apple’s new M1 chip. An adware sample reported earlier this week was the first. Native M1 code runs faster and more reliably on the new platform than x86_64 code, as the former does not need to be translated before running. Many developers of legitimate macOS apps have still not completed the process of recompiling their code for the M1. The M1 version of Silver Sparrow suggests that the developers are leading the way.
Once installed, Silver Sparrow looks for the URL from which the installation package was downloaded, most likely so that the malware operators know which distribution channels are most successful. In that regard, Silver Sparrow resembles previously seen macOS adware. It remains unclear exactly how or where the malware is distributed or how it is installed. However, the URL check suggests that malicious search results could be at least one distribution channel, in which case the installers are likely masquerading as legitimate apps.
An Apple spokesperson commented on the condition that they not be named and the comment not quoted. The statement says that after finding the malware, Apple revoked the developer certificates. Apple also noted that there is no evidence that a malicious payload was delivered. Finally, the company said it offers a variety of hardware and software protection and software updates, and the Mac App Store is the safest place to get macOS software.
One of the most impressive things about Silver Sparrow is the number of Macs it has infected. Red Canary researchers teamed up with their counterparts at Malwarebytes, with the latter group finding that Silver Sparrow was installed on 29,139 macOS endpoints as of Wednesday. That is an important achievement.
“For me the most striking [thing] is that it was found on nearly 30K macOS endpoints… and these are only endpoints that the MalwareBytes can see, so the number is probably much higher,” Patrick Wardle, a macOS security expert, wrote in an internet post. “That’s pretty widespread… and it shows once again that macOS malware is becoming more ubiquitous and commonplace, despite Apple’s best efforts.”
For those wanting to check if their Mac is infected, Red Canary hints at a compromise at the end of its report.