Security researchers have discovered a previously undetected piece of malware affecting Mac users around the world, including the new M1-powered Macs. Red Canary researchers say that this “Silver Sparrow” malware forces infected Macs to check a control sever once per hour, but the actual threat remains a mystery.
As reported by Ars Technica, the researchers have yet to observe an actual “delivery of any payload” on the infected machines. Therefore, the ultimate goal of this malware is unknown. “The lack of a final payload suggests that the malware may spring into action once an unknown condition is met,” the repot explains.
The malware also comes with its own “self-destruct” mechanism, but there’s no evidence that it has yet been used. Silver Sparrow has been found found on 29,139 macOS endpoints around the world:
The malicious binary is more mysterious still, because it uses the macOS Installer JavaScript API to execute commands. That makes it hard to analyze installation package contents or the way that package uses the JavaScript commands.
The malware has been found in 153 countries with detections concentrated in the US, UK, Canada, France, and Germany. Its use of Amazon Web Services and the Akamai content delivery network ensures the command infrastructure works reliably and also makes blocking the servers harder.
The Silver Sparrow malware also runs natively on Apple’s M1 chip. This makes it the second piece of malware discovered that is optimized for Apple Silicon, with the first coming earlier this week. This doesn’t mean that M1 Macs are specifically targeted, but the malware can equally affect M1 Macs and Intel Macs.
Optimization for the M1 chip combined with things like the infection rate and maturity is what worries Red Canary researchers:
“Though we haven’t observed Silver Sparrow delivering additional malicious payloads yet, its forward-looking M1 chip compatibility, global reach, relatively high infection rate, and operational maturity suggest Silver Sparrow is a reasonably serious threat, uniquely positioned to deliver a potentially impactful payload at a moment’s notice. Given these causes for concern, in the spirit of transparency, we wanted to share everything we know with the broader infosec industry sooner rather than later.”
Again, so far researchers haven’t yet found that the binary does anything — but it’s a threat that looms. You can read more on the Red Canary blog post right here.
Thanks to the gang at 9to5mac.com