Researchers have identified a novel cluster of macOS-specific malware strains that have infected almost 30,000 Mac endpoints across the world, including machines fitted with Apple’s new M1 CPU.
Dubbed Silver Sparrow, the malware strains use a LaunchAgent to establish their presence on a victim’s machine and uses JavaScript for execution. Most worrying of all is its apparent compatibility with the M1 ARM64 architecture, according to Red Canary researchers who've tracked the cluster’s activities.
There are two versions of the Silver Sparrow malware that have targeted 29,139 macOS endpoints as of 17 February combined. Infections were discovered across 153 countries but there were high volumes of detection recorded in the UK, US, Canada, France and Germany.
The difference between these two strains is chiefly that the first only contained a Mach-O binary compiled for Intel architecture while the second included a binary compiled for both Intel and Mac1 CPUs. This makes Silver Sparrow among the first strains detected to target the recently-developed 5mm macOS processor.
The installer packages of both strains use the macOS Installer JavaScript API to execute suspicious commands. This is something normally found in legitimate software and represents the first time Red Canary's researchers have observed this in malware. Malware ordinarily uses pre-install or post-install scripts to execute commands.
Once all the commands are written onto the affected device, there are several scripts that exist on disk. The first script executes immediately following installation to contact a system controlled by the hackers to indicate that installation is complete, while the second executes periodically because of the persistent LaunchAgent to contact the command and control server for more information.
This LaunchAgent provides a means to instruct the macOS initialisation system to periodically execute tasks on an automatic basis. This LaunchAgent tells this system to execute a shell script that downloads a JSON file to disk, converts it into a plist, and uses its properties to determine further actions.
Every hour, this gets checked for additional instructions and downloadable content, including malicious URLs. Curiously, the researchers haven’t observed a final payload being delivered over the course of more than a week, so they haven’t been able to determine Silver Sparrow’s actual purpose.
“At the time of publishing, we’ve identified a few unknown factors related to Silver Sparrow that we either don’t have visibility into or simply enough time hasn’t passed to observe,” said Red Canary intelligence analyst Tony Lambert.
“We have no way of knowing with certainty what payload would be distributed by the malware, if a payload has already been delivered and removed, or if the adversary has a future timeline for distribution. Based on data shared with us by Malwarebytes, the nearly 30,000 affected hosts have not downloaded what would be the next or final payload.”
The business guide to ransomware
Everything you need to know to keep your company afloat
This is in addition to several other mysteries, including how users initially download the file as well as the presence of a file check that removes all persistence mechanisms and scripts. Above all, the Mach-O binary included within the malware only runs if a victim intentionally seeks and launches it, showing messages including “Hello, World!” and “You did it!”, suggesting this threat is perhaps under development in a proof-of-concept stage.
Red Canary doesn’t have an accurate picture of when Silver Sparrow first emerged, but through its investigations determined that it perhaps first arose in August 2020, with the M1 version springing up for the first time in September.
