Security researchers at Red Canary, Malwarebytes, and VMware Carbon Black discovered a new macOS malware variant that infected about 39,000 Macs globally.
Surprisingly, they noted that although Silver Sparrow poses a “reasonably serious threat” no malicious behavior was exhibited as expected from common macOS adware.
However, the rogue software remained ready to deliver a “malicious payload at a moment’s notice.”
The researchers also found that the Mac malware was compatible with both Intel and Apple Silicon processors.
Malwarebytes says that the malware spread across 153 countries with the highest concentrations in the United States, the United Kingdom, Canada, France, and Germany.
New macOS malware strain could deliver a malicious payload at a moment’s notice
The researchers said that the Silver Sparrow macOS malware strain has never delivered a malicious payload on any infected devices. However, they warned mac users that despite its dormant behavior, it posed significant risks.
“Though we haven’t observed Silver Sparrow delivering additional malicious payloads yet, its forward-looking M1 chip compatibility, global reach, relatively high infection rate, and operational maturity suggest Silver Sparrow is a reasonably serious threat, uniquely positioned to deliver a potentially impactful payload at a moment’s notice.”
Apple revokes the code signing certificate used to create Silver Sparrow malware
Apple revoked the certificate used to sign the package associated with the Silver Sparrow malware.
Despite Apple’s notary service, macOS malware developers have successfully targeted apple products, including those using the latest ARM chip like MacBook Pro, MacBook Air, and Mac Mini.
Apple claims to have an “industry-leading” user protection mechanism in place but the malware threat keeps resurfacing.
Indeed, it seems that threat actors are already ahead of the game, targeting the M1 chips in their infancy. This is despite many legitimate developers having not ported their applications to the new platform.
Silver Sparrow macOS malware ships binaries for Intel and ARM, uses AWS and Akamai CDN
The researchers explained Silver Sparrow’s operations in the “Clipping Silver Sparrow’s wings: Outing macOS malware before it takes flight” blog post.
The new piece of malware exists in two binaries, Mach-object format targeting Intel x86_64 processors and Mach-O binary designed for the M1 Macs.
The macOS malware is installed through Apple installer packages named “update.pkg” or “updater.pkg.”
The archives include JavaScript code that runs before the install script executes, prompting the user to allow a program “determine if the software can be installed.”
If the user accepts, the JavaScript code installs a script named verx.sh. Aborting the installation process at this point is futile because the system is already infected, according to Malwarebytes.
Once installed, the script contacts a command and control server every hour, checking for commands or binaries to execute.
The command and control center runs on Amazon Web Services (AWS) and Akamai content delivery networks (CDN) infrastructure. The researchers said the use of cloud infrastructure makes it harder to block the virus.
Surprisingly, the researchers did not detect the deployment of the final payload, thus making the ultimate goal of the malware a mystery.
They posited that perhaps the malware was waiting for certain conditions to be met. Similarly, it could possibly detect being monitored by the security researchers, thus avoiding deploying the malicious payload.
When executed, the Intel x86_64 binaries print “Hello World” while the Mach-O binaries display “You did it!”
The researchers named them “bystander binaries” because they did not exhibit any malicious behavior. Additionally, the macOS malware has a mechanism to remove itself, adding to its stealth capabilities.
However, they noted that the self-remove feature was never used on any of the infected devices.
The malware also searches for the source URL it was downloaded from after installation. They argued that the malware developers wished to track which distribution channel was the most effective.
The researchers could not figure out how the malware was delivered but possible distribution channels include fake flash updates, pirated software, malicious ads, or legitimate apps.
“Cybercriminals define the rules of their attacks, and it’s up to us to defend against their tactics, even when those tactics aren’t completely clear,” says Tim Mackey, Principal Security Strategist at Synopsys Software Integrity Group. “That’s the situation with Silver Sparrow, the newly identified malware targeting macOS. At present, it doesn’t appear to do too terribly much, but it can provide insights into tactics that we should be defending against.”
