Mysterious malware infecting Apple Silicon Macs has no payload – yet

More malware affecting Apple Silicon Macs was discovered, but the researchers found that a malicious payload is currently missing.

It appears that there may be more malware targeting Apple’s M1-based Macs than previously thought. Following initial reports of the first M1 malware found on the loose, it appears that there are more malware infections, but of a particularly toothless variety.

In early February, Red Canary researchers discovered a variety of macOS malware that used LaunchAgent to make their presence, as well as some other forms of malware. What interested the researchers is that the malware behaved differently from typical adware, due to the way it used JavaScript to execute.

The malware cluster, called by researchers “Silver Sparrow”, also involved a binary compiled to work with M1 chips. This made it malware that would target Apple’s Silicon Macs.

Further research by researchers at VMware Carbon Black and Malwarebytes determined that Silver Sparrow was likely to be a “previously undetected strain of malware”. As of February 17, it had been detected at 29,139 macOS endpoints in 153 countries, with most infections residing in the USA, the UK, Canada, France and Germany.

At the time of publication, the malware had not been used to deliver a malicious payload to the victim Macs, although that could change in the future. Due to compatibility with M1, the “relatively high infection rate” and the operational maturity of the malware, was considered a serious enough threat that it is “uniquely positioned to deliver a potentially impacting load at any time”, prompting a public disclosure.

Two versions of the malware were discovered, with the payload of one version consisting of a binary affecting only Intel-based Macs, while the other was a binary that was compiled for the Intel and M1 architectures. The payload is apparently a placeholder, as the first version opens a window that literally says “Hello, World!” and the second says “You did it!”

An example of the included binary [via Red Canary]

If it were malicious malware, the payload could potentially allow the same or similar payload instructions to affect both architectures of a single executable.

The malware engine bypassed files called “update.pkg” and “updater.pkg”, disguising itself as installers. They take advantage of the macOS installer JavaScript API to execute suspicious commands.

This is behavior that is sometimes seen with legitimate software and not malware, which generally uses pre-installation or post-installation scripts to execute commands.

Once successful, the infection attempts to check a specific URL for a downloadable file, which may contain further instructions or a final payload. A week of malware monitoring has resulted in no visible final payload being made available, which may still change in the future.

There are several unanswered questions to researchers about Silver Sparrow. This includes where the initial PKG files were used to infect systems and elements of malware code that appear to be part of a broader toolkit.

“The ultimate goal of this malware is a mystery,” admits Red Canary. “We have no way of knowing with certainty what payload would be distributed by the malware, whether a payload has already been delivered and removed or whether the adversary has a future schedule for distribution.”

There is also the question of including the “Hello World” executables, since the binary will not be executed unless the victim actively searches for and executes it, instead of automatically executing it. The executables suggest that it may be malware in development or that an application package was needed to make the malware appear legitimate to other parties.

.Source