The second known malware that was compiled to run natively on M1 Macs was discovered by security company Red Canary.
/article-new/2021/02/m1-mac-mini-screen.jpg?resize=560%2C315&ssl=1)
Named “Silver Sparrow”, the malicious package leverages the macOS installer JavaScript API to execute suspicious commands. After watching the malware for more than a week, however, neither Red Canary nor its research partners saw a final payload, so the exact threat that the malware poses remains a mystery.
However, Red Canary said that malware can be “a reasonably serious threat”:
Although we have not seen Silver Sparrow delivering additional malicious payloads yet, its prospective M1 chip compatibility, global reach, relatively high infection rate and operational maturity suggest that Silver Sparrow is a reasonably serious threat, uniquely positioned to deliver a potentially useful payload. impacting at any time.
According to data provided by Malwarebytes, “Silver Sparrow” infected 29,139 macOS systems in 153 countries on February 17, including “high detection volumes in the United States, United Kingdom, Canada, France and Germany”. Red Canary did not specify how many of those systems were M1 Macs, if any.
Given that the “Silver Sparrow” binaries “don’t seem to do much yet”, Red Canary referred to them as “spectator binaries”. When run on Intel-based Macs, the malicious package simply shows a blank window with “Hello, World!” message, while Apple’s silicon binary leads to a red window that says “You did it!”
/article-new/2021/02/you-did-it-silver-sparrow.png?resize=560%2C394&ssl=1)
Shared Red Canary methods for detecting a wide range of macOS threats, but the steps are not specific for detecting “Silver Sparrow”:
– Look for a process that appears to be PlistBuddy running in conjunction with a command line containing the following: LaunchAgents and RunAtLoad and true. This analysis helps us to find several families of macOS malware that establish the persistence of LaunchAgent.
– Look for a process that appears to be sqlite3 running in conjunction with a
command line containing: LSQuarantine. This analysis helps us find several families of macOS malware manipulating or searching for metadata for downloaded files.
– Look for a process that appears to be curl running in conjunction with a command line that contains: s3.amazonaws.com. This analysis helps us find several families of macOS malware using S3 buckets for distribution.
The first piece of malware capable of running natively on M1 Macs was discovered a few days ago. Technical details on this second malware can be found in the Red Canary blog post, and Ars Technica has a good explainer too.