IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Mysterious Silver Sparrow malware hits 30,000 macOS devices

The cluster is among the first to spread malware affecting devices fitted with Apple’s new M1 chip

Researchers have identified a novel cluster of macOS-specific malware strains that have infected almost 30,000 Mac endpoints across the world, including machines fitted with Apple’s new M1 CPU.

Dubbed Silver Sparrow, the malware strains use a LaunchAgent to establish their presence on a victim’s machine and uses JavaScript for execution. Most worrying of all is its apparent compatibility with the M1 ARM64 architecture, according to Red Canary researchers who've tracked the cluster’s activities. 

There are two versions of the Silver Sparrow malware that have targeted 29,139 macOS endpoints as of 17 February combined. Infections were discovered across 153 countries but there were high volumes of detection recorded in the UK, US, Canada, France and Germany. 

The difference between these two strains is chiefly that the first only contained a Mach-O binary compiled for Intel architecture while the second included a binary compiled for both Intel and Mac1 CPUs. This makes Silver Sparrow among the first strains detected to target the recently-developed 5mm macOS processor.

The installer packages of both strains use the macOS Installer JavaScript API to execute suspicious commands. This is something normally found in legitimate software and represents the first time Red Canary's researchers have observed this in malware. Malware ordinarily uses pre-install or post-install scripts to execute commands.

Once all the commands are written onto the affected device, there are several scripts that exist on disk. The first script executes immediately following installation to contact a system controlled by the hackers to indicate that installation is complete, while the second executes periodically because of the persistent LaunchAgent to contact the command and control server for more information.

This LaunchAgent provides a means to instruct the macOS initialisation system to periodically execute tasks on an automatic basis. This LaunchAgent tells this system to execute a shell script that downloads a JSON file to disk, converts it into a plist, and uses its properties to determine further actions. 

Every hour, this gets checked for additional instructions and downloadable content, including malicious URLs. Curiously, the researchers haven’t observed a final payload being delivered over the course of more than a week, so they haven’t been able to determine Silver Sparrow’s actual purpose. 

“At the time of publishing, we’ve identified a few unknown factors related to Silver Sparrow that we either don’t have visibility into or simply enough time hasn’t passed to observe,” said Red Canary intelligence analyst Tony Lambert.

“We have no way of knowing with certainty what payload would be distributed by the malware, if a payload has already been delivered and removed, or if the adversary has a future timeline for distribution. Based on data shared with us by Malwarebytes, the nearly 30,000 affected hosts have not downloaded what would be the next or final payload.”

Related Resource

The business guide to ransomware

Everything you need to know to keep your company afloat

The business guide to ransomware - whitepaper from DattoFree download

This is in addition to several other mysteries, including how users initially download the file as well as the presence of a file check that removes all persistence mechanisms and scripts. Above all, the Mach-O binary included within the malware only runs if a victim intentionally seeks and launches it, showing messages including “Hello, World!” and “You did it!”, suggesting this threat is perhaps under development in a proof-of-concept stage. 

Red Canary doesn’t have an accurate picture of when Silver Sparrow first emerged, but through its investigations determined that it perhaps first arose in August 2020, with the M1 version springing up for the first time in September.

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

Hackers could use new Wslink malware in highly targeted cyber attacks
malware

Hackers could use new Wslink malware in highly targeted cyber attacks

1 Nov 2021
FBI raids Chinese POS business following cyber attack claims
malware

FBI raids Chinese POS business following cyber attack claims

27 Oct 2021
Malware developers create malformed code signatures to avoid detection
malware

Malware developers create malformed code signatures to avoid detection

24 Sep 2021
Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
Preparing for the 3G sunset
Network & Internet

Preparing for the 3G sunset

18 May 2022
(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security
Careers & training

(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security

17 May 2022