A previously undiscovered piece of malware found on nearly 30,000 Macs worldwide is creating intrigue in security circles, who are still trying to understand exactly what it does and what purpose its ability to self-destruct serves.
Once an hour, infected Macs check the control server for new commands that the malware should run or execute binary programs. So far, however, researchers have not noticed the delivery of any payload on any of the infected 30,000 machines, leaving the ultimate goal of the malware unknown. The lack of a final payload suggests that malware could start working when an unknown condition is met.
It’s also curious, but the malware comes with a complete removal mechanism, an capability typically reserved for high-roof operations. So far, however, there are no indications that the self-destruct feature has been used, questioning why the mechanism exists.
Malicious software has been found in 153 countries, and the detections are concentrated in the US, UK, Canada, France and Germany. Its use of Amazon Web Services and the Akamai content delivery network ensures reliable operation of the command infrastructure and makes server blocking difficult. Researchers from Red Canary, the security company that discovered the malware, call the malware Silver Sparrow.
A reasonably serious threat
“While we haven’t yet noticed how Silver Sparrow delivers additional malicious cargo, its compatibility with M1 chips, global reach, relatively high infection rate and operational maturity suggest that Silver Sparrow is a reasonably serious threat, uniquely positioned to deliver potentially influential payloads in an instant,” Red Canary researchers wrote in a blog published on Friday. “Given these reasons for concern, in a spirit of transparency, we wanted to share sooner and later everything we know with the wider infosec industry.”
Silver Sparrow comes in two versions – one with the binary format mach-object compiled for Intel x86_64 processors and the other Mach-O binary format for M1. The image below offers an overview of two high-level versions:
Silver Sparrow is just another malware containing code that originally works on Apple’s new M1 chip. A sample of ad software released earlier this week was the first. The original M1 code runs at higher speed and reliability on the new platform than the x86_64 code, as the former does not have to be translated before execution. Many developers of legitimate macOS applications have not yet completed the code recompilation process for M1. The M1 version of Silver Sparrow suggests that its developers are ahead of the curve.
Once installed, Silver Sparrow looks for the URL from which the installation package was downloaded, most likely to let malware operators know which distribution channels are most successful. In this regard, Silver Sparrow resembles the previously seen macOS adware. It remains unclear how and where the malware is distributed or how it is installed. URL verification, however, suggests that malicious search results may be at least one distribution channel, in which case installers would likely present themselves as legitimate applications.
Among the most striking things about Silver Sparrow is the number of Macs it has infected. Red Canary researchers worked with their counterparts in Malwarebytes, and the latter group found Silver Sparrow installed at 29,139 macOS endpoints as of Wednesday. That is a significant achievement.
“It simply came to our notice then [thing] is that it was found at almost 30,000 macOS endpoints … and these are just the endpoints that MalwareBytes can see, so the number is probably much higher, ”wrote Patrick Wardle, a macOS security expert, in an email. “It’s pretty widespread … and again it shows that macOS malware is becoming more prevalent and common, despite Apple’s best efforts.”
For those looking to check if their Mac is infected, Red Canary provides trade-off indicators at the end of the report.