A previously undiscovered malware found on nearly 30,000 Macs worldwide is intriguing security circles who are still trying to understand exactly what it is doing and what purpose its self-destructiveness serves.
Once an hour, infected Macs check a control server to see if there are any new commands for the malware to run or if binary files should be run. So far, however, the researchers have not observed whether any of the infected 30,000 computers are serving data, leaving the ultimate target of the malware unknown. The lack of a final payload suggests that once an unknown condition is met, the malware may take action.
The malware also has a mechanism that allows it to remove itself completely. This feature is usually reserved for high stealth operations. However, so far there is no evidence that the self-destruct function has been used, which begs the question of why the mechanism exists.
The malware was found in 153 countries, with detections concentrated in the US, UK, Canada, France and Germany. Using Amazon Web Services and the Akamai network to deliver content ensures that the command infrastructure is working reliably and makes it difficult to block the servers. Researchers at Red Canary, the security company that discovered the malware, call the malware Silver Sparrow.
Somewhat serious threat
“While we haven't seen Silver Sparrow deliver additional malicious payloads, its advanced compatibility with M1 chips, global reach, relatively high infection rate, and operational readiness suggest that Silver Sparrow poses a reasonably serious threat to be found in a unique position is to have potentially effective impact payloads in the shortest amount of time, ”Red Canary researchers wrote in a blog post published on Friday. "With this cause for concern, in a spirit of transparency we wanted to share everything we know with the broader Infosec industry sooner rather than later."
Silver Sparrow comes in two versions – one with a Mach object format binary compiled for Intel x86_64 processors, and the other Mach-O binary for the M1. The following picture provides a general overview of the two versions:
Silver Sparrow is only the second malware to contain code that runs natively on Apple's new M1 chip. An adware example reported earlier this week was the first. The native M1 code runs faster and more reliably on the new platform than the x86_64 code, as the former does not need to be translated before it can be executed. Many developers of legitimate macOS apps have not yet completed the process of recompiling their code for the M1. Silver Sparrow's M1 version suggests the developers are ahead of the curve.
After the installation, Silver Sparrow will look for the URL from which the installation package was downloaded. This is most likely so so that the malware operators know which sales channels are most successful. In this regard, Silver Sparrow is similar to the macOS adware we saw earlier. It remains unclear how or where the malware is spread or how it is installed. However, the URL review suggests that malicious search results could be at least one sales channel. If so, the installers would likely pose as legitimate apps.
One of the most impressive things about Silver Sparrow is the number of Macs it has infected. Red Canary researchers worked with their counterparts at Malwarebytes. The latter group found that Silver Sparrow was installed on 29,139 macOS endpoints as of Wednesday. That is a significant achievement.
"To me, the most remarkable [thing] is that it was found on nearly 30,000 macOS endpoints … and these are only endpoints that MalwareBytes can see, so the number is likely much higher," said Patrick Wardle, a macOS Security expert. wrote in an internet message. "This is pretty widespread … and again shows that despite Apple's efforts, macOS malware is becoming more widespread and commonplace."
For those looking to check if their Mac is infected, Red Canary provides indicators of compromise at the end of its report.