Security researchers have discovered previously undetected malware, affecting Mac users worldwide, including new Macs with M1. Red Canary researchers say this “Silver Sparrow” malware forces infected Macs to check a control server once an hour, but the real threat remains a mystery.
As reported by Ars Technica, the researchers have yet to observe a “real delivery of any payload” on infected machines. Therefore, the ultimate goal of this malware is unknown. “The lack of a final payload suggests that the malware can take action as soon as an unknown condition is met,” explains the repot.
The malware also comes with its own “self-destruct” mechanism, but there is no evidence that it has yet been used. Silver Sparrow was found on 29,139 macOS endpoints worldwide:
The malicious binary is even more mysterious, because it uses the macOS installer JavaScript API to execute commands. This makes it difficult to analyze the contents of the installation package or the way that the package uses JavaScript commands.
The malware was found in 153 countries, with detections concentrated in the United States, United Kingdom, Canada, France and Germany. Its use of Amazon Web Services and the Akamai content distribution network ensures that the command infrastructure works reliably and also makes it difficult to block servers.
Silver Sparrow malware also runs natively on Apple’s M1 chip. This makes it the second malware discovered that is optimized for the Apple Silicon, with the first coming earlier this week. This does not mean that M1 Macs are specifically targeted, but the malware can equally affect M1 Macs and Intel Macs.
The optimization of the M1 chip combined with things like the rate of infection and maturity is what worries Red Canary researchers:
“While we haven’t seen Silver Sparrow deliver additional malicious payloads yet, its prospective M1 chip compatibility, global reach, relatively high infection rate and operational maturity suggest that Silver Sparrow is a reasonably serious threat, uniquely positioned to deliver an impactful potential payload at any time. In view of these concerns, in the spirit of transparency, we wanted to share everything we know with the broader infosec industry, sooner or later. “
Again, researchers have not yet discovered that binary does anything – but it is an approaching threat. You can read more on the Red Canary blog post here.
FTC: We use affiliate links for cars that generate revenue. Most.
Check out 9to5Mac on YouTube for more Apple news: