Mysterious Silver Sparrow malware hits 30,000 macOS devices

The cluster is among the first to spread malware affecting devices fitted with Apple’s new M1 chip

A close-up shot of a MacBook keyboard

Researchers have identified a novel cluster of macOS-specific malware strains that have infected almost 30,000 Mac endpoints across the world, including machines fitted with Apple’s new M1 CPU.

Dubbed Silver Sparrow, the malware strains use a LaunchAgent to establish their presence on a victim’s machine and uses JavaScript for execution. Most worrying of all is its apparent compatibility with the M1 ARM64 architecture, according to Red Canary researchers who've tracked the cluster’s activities. 

There are two versions of the Silver Sparrow malware that have targeted 29,139 macOS endpoints as of 17 February combined. Infections were discovered across 153 countries but there were high volumes of detection recorded in the UK, US, Canada, France and Germany. 

The difference between these two strains is chiefly that the first only contained a Mach-O binary compiled for Intel architecture while the second included a binary compiled for both Intel and Mac1 CPUs. This makes Silver Sparrow among the first strains detected to target the recently-developed 5mm macOS processor.

The installer packages of both strains use the macOS Installer JavaScript API to execute suspicious commands. This is something normally found in legitimate software and represents the first time Red Canary's researchers have observed this in malware. Malware ordinarily uses pre-install or post-install scripts to execute commands.

Once all the commands are written onto the affected device, there are several scripts that exist on disk. The first script executes immediately following installation to contact a system controlled by the hackers to indicate that installation is complete, while the second executes periodically because of the persistent LaunchAgent to contact the command and control server for more information.

This LaunchAgent provides a means to instruct the macOS initialisation system to periodically execute tasks on an automatic basis. This LaunchAgent tells this system to execute a shell script that downloads a JSON file to disk, converts it into a plist, and uses its properties to determine further actions. 

Every hour, this gets checked for additional instructions and downloadable content, including malicious URLs. Curiously, the researchers haven’t observed a final payload being delivered over the course of more than a week, so they haven’t been able to determine Silver Sparrow’s actual purpose. 

“At the time of publishing, we’ve identified a few unknown factors related to Silver Sparrow that we either don’t have visibility into or simply enough time hasn’t passed to observe,” said Red Canary intelligence analyst Tony Lambert.

“We have no way of knowing with certainty what payload would be distributed by the malware, if a payload has already been delivered and removed, or if the adversary has a future timeline for distribution. Based on data shared with us by Malwarebytes, the nearly 30,000 affected hosts have not downloaded what would be the next or final payload.”

Related Resource

The business guide to ransomware

Everything you need to know to keep your company afloat

The business guide to ransomware - whitepaper from DattoDownload now

This is in addition to several other mysteries, including how users initially download the file as well as the presence of a file check that removes all persistence mechanisms and scripts. Above all, the Mach-O binary included within the malware only runs if a victim intentionally seeks and launches it, showing messages including “Hello, World!” and “You did it!”, suggesting this threat is perhaps under development in a proof-of-concept stage. 

Red Canary doesn’t have an accurate picture of when Silver Sparrow first emerged, but through its investigations determined that it perhaps first arose in August 2020, with the M1 version springing up for the first time in September.

Featured Resources

Choosing a collaboration platform

Eight questions every IT leader should ask

Download now

Performance benchmark: PostgreSQL/ MongoDB

Helping developers choose a database

Download now

Customer service vs. customer experience

Three-step guide to modern customer experience

Download now

Taking a proactive approach to cyber security

A complete guide to penetration testing

Download now

Recommended

HackBoss malware is using Telegram to steal cryptocurrency from other hackers
cryptocurrencies

HackBoss malware is using Telegram to steal cryptocurrency from other hackers

16 Apr 2021
Weakness in Mamba ransomware could help recover data
ransomware

Weakness in Mamba ransomware could help recover data

26 Mar 2021
Invoice ZLoader campaign hides within encrypted Excel docs
malware

Invoice ZLoader campaign hides within encrypted Excel docs

8 Mar 2021

Most Popular

REvil threatens to release Apple’s hardware schematics
ransomware

REvil threatens to release Apple’s hardware schematics

21 Apr 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

8 Apr 2021
Samsung Galaxy S21 Ultra review: Ultra in every sense of the word
Mobile Phones

Samsung Galaxy S21 Ultra review: Ultra in every sense of the word

22 Apr 2021