Red Canary Blows The Whistle On Silver Sparrow
There’s Something Amiss With Macs, Especially The New M1 Chip
A new mysterious piece of malware has been found sitting on tens of thousands of Macs, which for the moment seems happy just to exist as it is not doing anything at the moment. There are two different versions of this lazy malware, one for X86 processors and one specifically for Apple’s new M1 chip. For now, the malware seems content to spread itself around via a mysterious method and report successful installation and nothing more.
Red Canary, the security company which reported on Silver Sparrow, has determined that the malware is distributed via AWS and Akami, though the method of infection is not yet known, other that it makes use of the macOS Installer JavaScript API. Once it successfully infects a machine, it sends a notification verifying the installation, likely to let those behind this scheme know which methods are most successful in distributing the malware. It also creates a LaunchAgent task which checks a server every hour to see if there is a payload ready to download and deploy, but so far nothing has been uploaded.
Apple has revoked the developer certificates for both binary files, which should help prevent any files from spreading if they are uploaded, though that is more of a workaround than a permanent resolution. Researchers did manage to execute one of the binaries, which provided some rather odd results. The x86_64 binary displays “Hello World!” while the M1 binary reads “You did it!”.
Follow the links from Ars Technica to find out if your Mac is one of the ones currently infected.
A previously undetected piece of malware found on almost 30,000 Macs worldwide is generating intrigue in security circles, and security researchers are still trying to understand precisely what it does and what purpose its self-destruct capability serves.