A previously undiscovered piece of malware found on nearly 30,000 Macs worldwide is generating intrigue in security circles, which are still trying to understand exactly what it does and what purpose its self-destructing capability serves.
Once an hour, infected Macs check a control server to see if there are any new commands that malware should run or binaries to execute. So far, however, researchers have not yet observed the delivery of payloads on any of the infected 30,000 machines, leaving the ultimate goal of malicious software unknown. The lack of a final payload indicates that malicious software may start when an unknown condition is met.
Also curious, malware comes with a mechanism to remove itself, an ability that is usually reserved for high-stealth operations. So far, however, there is no evidence that the self-destruct function has been used, which raises the question of why the mechanism exists.
In addition to these issues, malware is known for a version that runs native to the M1
Malware has been found in 153 countries with discoveries concentrated in the United States, the United Kingdom, Canada, France and Germany. The use of Amazon Web Services and the Akamai content delivery network ensures that the command infrastructure works reliably and also makes it more difficult to block the servers. Researchers from Red Canary, the security firm that discovered malicious software, call malicious software Silver Sparrow.
Reasonably serious threat
“Although we have not yet observed Silver Sparrow delivering more malicious payloads, the forward-looking M1 chip compatibility, global reach, relatively high infection rate and operational maturity suggest that Silver Sparrow is a reasonably serious threat, uniquely positioned to deliver a potential impact payload in an instant, ”Red Canary researchers wrote in a blog post published Friday. “Given these concerns, in the spirit of transparency, we wanted to share everything we know with the broader infosec industry rather than later.”
Silver Sparrow comes in two versions – one with mach-object binary compiled for Intel x86_64 processors and the other Mach-O binary for M1. The image below provides a high-level overview of the two versions:
Silver Sparrow is just the other piece of malware that contains code that runs naturally on Apple’s new M1 chip. An adware trial reported earlier this week was the first. Native M1 code runs at greater speed and reliability on the new platform than the x86_64 code does because it previously does not need to be translated before it is executed. Many developers of legitimate macOS apps have still not completed the process of recompiling their code for M1. Silver Sparrow’s M1 version suggests that the developers are ahead of the curve.
Once Silver Sparrow is installed, it searches for the URL from which the installation package was downloaded, most likely so that malware operators know which distribution channels are most successful. In this respect, Silver Sparrow previously resembled macOS adware. It is still unclear exactly how or how malicious software is distributed or how it will be installed. However, the URL check suggests that malicious search results may be at least one distribution channel. In that case, installers are likely to be legitimate apps.
Among the most impressive things about Silver Sparrow is the number of Macs it has infected. Red Canary researchers worked with their colleagues on Malwarebytes, with the latter group finding Silver Sparrow installed on 29,139 macOS endpoints as of Wednesday. It is a significant achievement.
“For me, it’s the most remarkable thing [thing] is that it was found at almost 30,000 macOS endpoints … and these are just endpoints MalwareBytes can see, so the number is probably much higher, ”wrote Patrick Wardle, a macOS security expert, in an Internet message. “It’s quite widespread … and shows again that macOS malware is becoming increasingly pervasive and common, despite Apple’s best efforts.”
For those who want to check if their Mac has been infected, Red Canary provides compromise indicators at the end of the report.