Previously undetected malware, found on nearly 30,000 Macs worldwide, is causing intrigue in security circles, which are still trying to understand precisely what it does and what its self-destruct capability serves.
Once an hour, infected Macs check a control server for new commands that the malware must execute or binaries to execute. So far, however, the researchers have yet to observe the delivery of any cargo on any of the 30,000 infected machines, leaving the ultimate goal of the unknown malware. The lack of a final payload suggests that the malware can take action as soon as an unknown condition is met.
Also curious, the malware comes with a mechanism to remove itself completely, a feature normally reserved for highly stealth operations. So far, however, there are no signs that the self-destruct feature has been used, raising the question of why the mechanism exists.
In addition to these issues, the malware is notable for a version that runs natively on the M1 chip that Apple released in November, making it only the second known macOS malware to do so. The malicious binary is even more mysterious, because it uses the macOS installer JavaScript API to execute commands. This makes it difficult to analyze the contents of the installation package or the way that the package uses JavaScript commands.
The malware was found in 153 countries, with detections concentrated in the United States, United Kingdom, Canada, France and Germany. Its use of Amazon Web Services and the Akamai content distribution network ensures that the command infrastructure works reliably and also makes it difficult to block servers. Researchers at Red Canary, the security company that discovered the malware, are calling the malware Silver Sparrow.
Reasonably serious threat
“While we haven’t seen Silver Sparrow deliver additional malicious payloads yet, its prospective M1 chip compatibility, global reach, relatively high infection rate and operational maturity suggest that Silver Sparrow is a reasonably serious threat, uniquely positioned to deliver an impactful potential payload at any time, ”wrote Red Canary researchers in a blog published on Friday. “In view of these concerns, in the spirit of transparency, we wanted to share everything we know with the broader infosec industry, sooner or later.”
Silver Sparrow comes in two versions – one with a mach-object binary compiled for Intel x86_64 processors and the other Mach-O binary for the M1. The image below provides a high-level overview of the two versions:
Red Canary
So far, researchers haven’t seen any of the binaries do much, which has led them to refer to them as “spectator binaries”. Interestingly, when executed, the x86_64 binary displays the words “Hello World!” while the M1 torque reads “You did it!” The researchers suspect that the files are placeholders to give the installer something to distribute content outside of JavaScript execution.
Silver Sparrow is just the second piece of malware to contain code that runs natively on Apple’s new M1 chip. An adware sample reported earlier this week was the first. The native M1 code runs faster and more reliably on the new platform than the x86_64 code because the first does not need to be translated before it is executed. Many developers of legitimate macOS applications have not yet completed the process of recompiling their code for M1. The M1 version of Silver Sparrow suggests that its developers are ahead of the curve.
Once installed, Silver Sparrow looks for the URL from which the installer package was downloaded, probably to let malware operators know which distribution channels are most successful. In that respect, Silver Sparrow resembles the macOS adware seen earlier. It is not yet clear exactly how or where the malware is being distributed or how it is installed. URL scanning, however, suggests that malicious search results may be at least one distribution channel, in which case installers are likely to pose as legitimate applications.
Among the most impressive things about Silver Sparrow is the number of Macs it has infected. The Red Canary researchers worked with their colleagues at Malwarebytes, with the latter group finding Silver Sparrow installed on 29,139 macOS endpoints on Wednesday. This is a significant achievement.
“For me, the most notable [thing] is that it was found on almost 30,000 macOS endpoints … and these are just endpoints that MalwareBytes can see, so the number is probably much higher, “wrote Patrick Wardle, macOS security expert, in an Internet message . “This is widespread … and again shows that macOS malware is becoming more and more widespread and common, despite Apple’s best efforts.”
For those who want to check if their Mac has been infected, Red Canary provides indicators of compromise at the end of its report.