Mysterious Silver Sparrow malware hits 30,000 macOS devices
The cluster is among the first to spread malware affecting devices fitted with Apple’s new M1 chip
There are two versions of the Silver Sparrow malware that have targeted 29,139 macOS endpoints as of 17 February combined. Infections were discovered across 153 countries but there were high volumes of detection recorded in the UK, US, Canada, France and Germany.
The difference between these two strains is chiefly that the first only contained a Mach-O binary compiled for Intel architecture while the second included a binary compiled for both Intel and Mac1 CPUs. This makes Silver Sparrow among the first strains detected to target the recently-developed 5mm macOS processor.
Once all the commands are written onto the affected device, there are several scripts that exist on disk. The first script executes immediately following installation to contact a system controlled by the hackers to indicate that installation is complete, while the second executes periodically because of the persistent LaunchAgent to contact the command and control server for more information.
This LaunchAgent provides a means to instruct the macOS initialisation system to periodically execute tasks on an automatic basis. This LaunchAgent tells this system to execute a shell script that downloads a JSON file to disk, converts it into a plist, and uses its properties to determine further actions.
Every hour, this gets checked for additional instructions and downloadable content, including malicious URLs. Curiously, the researchers haven’t observed a final payload being delivered over the course of more than a week, so they haven’t been able to determine Silver Sparrow’s actual purpose.
“At the time of publishing, we’ve identified a few unknown factors related to Silver Sparrow that we either don’t have visibility into or simply enough time hasn’t passed to observe,” said Red Canary intelligence analyst Tony Lambert.
“We have no way of knowing with certainty what payload would be distributed by the malware, if a payload has already been delivered and removed, or if the adversary has a future timeline for distribution. Based on data shared with us by Malwarebytes, the nearly 30,000 affected hosts have not downloaded what would be the next or final payload.”
The business guide to ransomware
Everything you need to know to keep your company afloatDownload now
This is in addition to several other mysteries, including how users initially download the file as well as the presence of a file check that removes all persistence mechanisms and scripts. Above all, the Mach-O binary included within the malware only runs if a victim intentionally seeks and launches it, showing messages including “Hello, World!” and “You did it!”, suggesting this threat is perhaps under development in a proof-of-concept stage.
Red Canary doesn’t have an accurate picture of when Silver Sparrow first emerged, but through its investigations determined that it perhaps first arose in August 2020, with the M1 version springing up for the first time in September.
Consumer choice and the payment experience
A software provider's guide to getting, growing, and keeping customersDownload now
Prevent fraud and phishing attacks with DMARC
How to use domain-based message authentication, reporting, and conformance for email securityDownload now
Business in the new economy landscape
How we coped with 2020 and looking ahead to a brighter 2021Download now
How to increase cyber resilience within your organisation
Cyber resilience for dummiesDownload now