Image: Heye Jensen
Security researchers have discovered a new malware operation targeting Mac devices that silently infected nearly 30,000 systems.
Named Silver Sparrow, the malware was discovered by security researchers at Red Canary and analyzed in conjunction with researchers from Malwarebytes and VMWare Carbon Black.
“According to data provided by Malwarebytes, Silver Sparrow infected 29,139 macOS endpoints in 153 countries on February 17, including high detection volumes in the United States, United Kingdom, Canada, France and Germany,” wrote Tony Lambert of Red Canary in a report published last week.
But despite the high number of infections, details about how the malware was distributed and infected users are still scarce, and it is unclear whether Silver Sparrow was hidden within malicious ads, pirated apps or fake Flash updaters – the vector classic distribution for most Mac malware stresses these days.
In addition, the purpose of this malware is also unclear and researchers do not know what its ultimate goal is.
After Silver Sparrow infects a system, the malware just waits for new commands from its operators – commands that never arrived during the time that the researchers analyzed it, hoping to learn more about its inner workings before releasing its report.
But that should not be interpreted as a failed strain of malware, warns Red Canary. It may be possible for malware to be able to detect research that analyzes its behavior and simply avoid delivering its second-stage payloads to these systems.
The large number of infected systems clearly suggests that this is a very serious threat and not just a few unique tests by the threat actor.
Silver Sparrow supports M1 chips
In addition, the malware also comes with support for infecting macOS systems running on Apple’s latest M1 chip architecture, again confirming that it is a new and well-maintained threat.
In fact, Silver Sparrow is the second strain of malware discovered that can run on M1 architectures after the first was discovered just four days earlier, showing exactly how cutting edge this new threat really is.
“Although we haven’t seen Silver Sparrow deliver additional malicious payloads yet, its prospective M1 chip compatibility, global reach, relatively high infection rate and operational maturity suggest that Silver Sparrow is a reasonably serious threat, uniquely positioned to provide an impactful potential payload at any time, “Lambert warned in his report.
“In view of these concerns, in the spirit of transparency, we wanted to share everything we know with the broader infosec industry as soon as possible.”
The Red Canary report contains indicators of compromise, such as files and file paths created and used by malware, that can be used to detect infected systems.