The other known piece of malware collected for running naturally on M1 Macs has been discovered by security firm Red Canary.
Red Canary nevertheless said that malicious software could be “a reasonably serious threat”:
Although we have not yet observed Silver Sparrow delivering more malicious payloads, the forward-looking M1 chip compatibility, global reach, relatively high infection rate and operational maturity suggest that Silver Sparrow is a reasonably serious threat, uniquely positioned to deliver a potentially impactful payload. with a moment’s notice.
According to data provided by Malwarebytes, “Silver Sparrow” had infected 29,139 macOS systems in 153 countries as of February 17, including “large detection volumes in the United States, the United Kingdom, Canada, France and Germany.” Red Canary did not specify how many of these systems were M1 Macs.
Given that the “Silver Sparrow” binaries “do not seem to be doing much” yet, Red Canary referred to them as “spectator binaries.” When running on Intel-based Macs, the malicious package simply displays an empty window with “Hello, World!” message, while the Apple Silicon Binary leads to a red window that says “You did it!”
Red Canary shared methods for detecting a wide range of macOS threats, but the steps are not specific to detecting “Silver Sparrow”:
– Look for a process that appears to be executed by PlistBuddy in conjunction with a command line containing the following: LaunchAgents and RunAtLoad and true. This analysis helps us find more macOS malicious families that establish LaunchAgent endurance.
– Look for a process that appears to be sqlite3 performed in conjunction with a
command line containing: LSQarantine. This analysis helps us to find several MacOS malicious families that are manipulating or searching metadata for downloaded files.
– Look for a process that appears to be curling in conjunction with a command line that contains: s3.amazonaws.com. This analysis helps us find more MacOS malicious families using S3 drawers for distribution.
The first piece of malware that can run naturally on M1 Macs was discovered just a few days ago. Technical details about this second piece of malware can be found in Red Canary’s blog post, and Ars Technica have a good explain too.