Malware, called Silver Sparrow, has not yet participated in malicious activity.
Mysterious malware ̵
Malware, dubbed by Red Canary as “Silver Sparrow”, confuses scientists because of its elusive motives.
“Most malware has a definitive goal,” Brian Donohue, an intelligence analyst at Red Canary, told ABC News via email. “It could be stealing sensitive information, causing damage to devices or servers, or blocking access to data. In this case, we do not actually know what the ultimate goal is, because we have not observed Silver Sparrow engaging in malicious activity.”
However, Donohue noted that most malware operations consist of several support features that occur before performing malicious activity, such as gaining initial access or moving between devices on a network.
“As for Silver Sparrow, we have seen other parts of the malware operation, although we have not observed the final payload,” he added. “For example, we have observed it using macOS built-in features to install itself on sacrificial machines and to maintain endurance across reboots.”
Donohue said a member of Red Canary’s cyber incident response team first discovered malicious software – which includes a code running on Apple’s new M1 chip – based on suspicious behavior from the customer’s device. They have not identified the origin.
“As of today, we can confirm that the threat has infected nearly 40,000 macOS devices,” he told ABC News, citing published data from antivirus company Malwarebytes, although he said it was likely an “underestimation of the overall scale of the threat”. . “
He added that malicious software has been called mysterious for two reasons, including that it lacks the ultimate payload, and researchers can not determine the purpose of the threat.
“The second is a file that, if found on an infected machine, causes Silver Sparrow to uninstall itself,” Donohue said. “We do not know why this file is present on certain systems or why its presence causes Silver Sparrow to uninstall itself.”
Although Silver Sparrow does not currently deliver a malicious payload, Donohue said they are “concerned that it may be updated to deliver one in an instant.”
“This is reinforced by the fact that it has the presence of almost 40,000 machines and all the infrastructure needed to support one more regarding threat,” he said.
Apple told ABC News that it revoked the certificates of developer accounts used to sign the packages, and prevented new computers from becoming infected after discovering malicious software.
Apple took note of security protections and mechanisms, saying the App Store is the safest place to get software for Macs. In addition, Apple said it uses industry-leading technical mechanisms to protect users by detecting and blocking malicious software downloaded outside the Mac App Store.
The company also noted, as made clear by the researchers, that there is no evidence that the new malicious software has delivered a malicious payload.