Mysterious malware infects 30,000 Mac computers

Known as Silver Sparrow, the malware’s intent is still unknown as it has yet to deliver an actual payload, says security firm Red Canary.

malware in a computer system

Image: kaptnali, Getty Images/iStockphoto

A piece of malware that has infected almost 30,000 Mac computers has triggered questions over its intent and ultimate payload.

SEE: Security Awareness and Training policy (TechRepublic Premium)

More about cybersecurity

Based on data from Malwarebytes, the malware dubbed Silver Sparrow by researchers at Red Canary, has so far landed on 29,139 macOS machines across 153 countries, including the US, UK, Canada, France and Germany. Questions have arisen because the malware hasn’t actually done anything malicious yet, meaning there’s been no observed payload delivery and no conclusions as to its purpose.

What is known is that Silver Sparrow is a strain of malware designed for Macs powered by the new Apple M1 chip, which the company introduced late last year as a move away from Intel architecture. This makes it only the second known piece of macOS malware to target the new chips, according to Ars Technica. With the missing payload piece and other questions, the malware has led to concerns among Red Canary researchers.

“Though we haven’t observed Silver Sparrow delivering additional malicious payloads yet, its forward-looking M1 chip compatibility, global reach, relatively high infection rate, and operational maturity suggest Silver Sparrow is a reasonably serious threat, uniquely positioned to deliver a potentially impactful payload at a moment’s notice,” Red Canary said in a blog post published last Thursday.

For its analysis, Red Canary said that its researchers uncovered two version of the malware: One compiled for Intel x86_64 architecture only and a second compiled for both Intel x86_64 and M1 ARM64 architecture. So far, the binary code for Silver Sparrow doesn’t seem to do much, prompting Red Canary to refer to it as “bystander binaries.”

The malware is distributed in two different packages—updater.pkg and update.pkg. Both use the same techniques for execution, with the only difference being in the compilation of the binary code. The binary for updater.pkg seems to be a placeholder for other content. For now, executing the script simply displays the message: “Hello, World!” Similarly, executing the binary for update.pkg displays the message: “You did it!”

The malware infects a machine through a specific process, Tony Lambert, intelligence analyst for Red Canary, explained to TechRepublic:

While performing routine tasks on the internet, such as viewing search engine results, you encounter a page that tells you to download an update. Once downloaded, you click through any warnings and install the downloaded PKG file. During installation, the malware creates a persistence mechanism, which ensures that it remains on the machine. After that, scripts run at regular intervals to check for any additional payload.

One unique aspect of Silver Sparrow is that its installer packages take advantage of the macOS Installer JavaScript API to run suspicious commands, according to Red Canary researchers, the first time they’ve seen this tactic used by malware.

“The novelty from this threat is twofold,” Lambert said. “First, we don’t commonly see malware using JavaScript inside a PKG file to perform actions like Silver Sparrow does. Second, one version of Silver Sparrow contained a placeholder executable compiled to support M1 architecture.”

Silver Sparrow is a potential threat because it allows arbitrary code to be downloaded and executed without the user’s knowledge, Lambert added. This can include potential code from any URL. Though Silver Sparrow seems benign for now, the people behind it could simply be laying the foundation for a malicious attack.

“The ultimate goal of this malware is a mystery,” Red Canary said in its blog post. “We have no way of knowing with certainty what payload would be distributed by the malware, if a payload has already been delivered and removed, or if the adversary has a future timeline for distribution. Based on data shared with us by Malwarebytes, the nearly 30,000 affected hosts have not downloaded what would be the next or final payload.”

Aware of Silver Sparrow, Apple has taken steps to mitigate it as well, a company spokesperson told TechRepublic. After discovering the malware, Apple revoked the certificates of the developer accounts that signed the packages, which prevents new computers from getting infected. Further, the company employs such protection as the Apple notary service to detect and prevent malware from running on a machine.

Even with Apple’s protection, Red Canary advises users to run third-party antivirus or antimalware products to supplement the antimalware protections in the operating system. On a more technical security or developer level, Red Canary also offers the following advice to enterprises:

  1. Look for a process that appears to be PlistBuddy executing in conjunction with a command line containing the following: LaunchAgents and RunAtLoad and true. This analytic helps find multiple macOS malware families establishing LaunchAgent persistence.
  2. Look for a process that appears to be sqlite3 executing in conjunction with a command line that contains LSQuarantine. This analytic helps find multiple macOS malware families manipulating or searching metadata for downloaded files.
  3. Look for a process that appears to be curl executing in conjunction with a command line that contains s3.amazonaws.com. This analytic helps find multiple macOS malware families using S3 buckets for distribution.

Editor’s note: This article has been updated with additional comment.

Also see