Mysterious malware infects 30,000 Mac computers

A piece of malware that has infected almost 30,000 Mac computers has triggered questions over its intent and ultimate payload.

SEE: Security Awareness and Training policy (TechRepublic Premium)

Based on data from Malwarebytes, the malware dubbed Silver Sparrow by researchers at Red Canary, has so far landed on 29,139 macOS machines across 153 countries, including the US, UK, Canada, France and Germany. Questions have arisen because the malware hasn’t actually done anything malicious yet, meaning there’s been no observed payload delivery and no conclusions as to its purpose.

What is known is that Silver Sparrow is a strain of malware designed for Macs powered by the new Apple M1 chip, which the company introduced late last year as a move away from Intel architecture. This makes it only the second known piece of macOS malware to target the new chips, according to Ars Technica. With the missing payload piece and other questions, the malware has led to concerns among Red Canary researchers.

“Though we haven’t observed Silver Sparrow delivering additional malicious payloads yet, its forward-looking M1 chip compatibility, global reach, relatively high infection rate, and operational maturity suggest Silver Sparrow is a reasonably serious threat, uniquely positioned to deliver a potentially impactful payload at a moment’s notice,” Red Canary said in a blog post published last Thursday.

For its analysis, Red Canary said that its researchers uncovered two version of the malware: One compiled for Intel x86_64 architecture only and a second compiled for both Intel x86_64 and M1 ARM64 architecture. So far, the binary code for Silver Sparrow doesn’t seem to do much, prompting Red Canary to refer to it as “bystander binaries.”

The malware is distributed in two different packages—updater.pkg and update.pkg. Both use the same techniques for execution, with the only difference being in the compilation of the binary code. The binary for updater.pkg seems to be a placeholder for other content. For now, executing the script simply displays the message: “Hello, World!” Similarly, executing the binary for update.pkg displays the message: “You did it!”

The other unique aspect of Silver Sparrow is that its installer packages take advantage of the macOS Installer JavaScript API to run suspicious commands, according to Red Canary researchers, the first time they’ve seen this tactic used by malware. Though Silver Sparrow seems benign for now, the people behind it could simply be laying the foundation for a malicious attack.

“The ultimate goal of this malware is a mystery,” Red Canary said in its blog post. “We have no way of knowing with certainty what payload would be distributed by the malware, if a payload has already been delivered and removed, or if the adversary has a future timeline for distribution. Based on data shared with us by Malwarebytes, the nearly 30,000 affected hosts have not downloaded what would be the next or final payload.”

To help Mac users check for the presence of Silver Sparrow as well as other threats, Red Canary offers the following advice:

• Look for a process that appears to be PlistBuddy executing in conjunction with a command line containing the following: LaunchAgents and RunAtLoad and true. This analytic helps find multiple macOS malware families establishing LaunchAgent persistence.
• Look for a process that appears to be sqlite3 executing in conjunction with a command line that contains LSQuarantine. This analytic helps find multiple macOS malware families manipulating or searching metadata for downloaded files.
• Look for a process that appears to be curl executing in conjunction with a command line that contains s3.amazonaws.com. This analytic helps find multiple macOS malware families using S3 buckets for distribution.

Also see