The security firm Red Canary is unknown as the purpose of the malware known as Silver Sparrow is yet to provide a real payload.
A malware that infects almost 30,000 Mac computers triggered questions about its purpose and ultimate payload.
SEE: Security Awareness and Training policy (TechRepublic Premium)
Named Silver Sparrow by researchers at Red Canary, the malware has so far landed on 29,139 macOS machines in 153 countries, including the US, UK, Canada, France and Germany, based on data from Malwarebytes. Questions arose because the malware did not do anything malicious yet, meaning that the cargo delivery was not observed and there was no conclusion regarding its purpose.
Silver Sparrow is known to be a type of malware designed for Macs powered by the new Apple M1 chip, which it introduced to move away from Intel architecture late last year. This makes it the second known piece of macOS malware targeting new chips, according to Ars Technica. With missing payload parts and other questions, the malware has raised concerns among Red Canary researchers.
“While we have not yet observed that Silver Sparrow provides additional malicious payloads, its forward-looking M1 chip compatibility, global reach, relatively high contamination rate and operational maturity make Silver Sparrow a very serious threat and potentially effective. Red Canary said in a blog post posted last Thursday, “it’s loading situation as soon as possible.”
For its analysis, Red Canary said its researchers uncovered two versions of the malware: one was compiled solely for the Intel x86_64 architecture, and the second was compiled for both Intel x86_64 and M1 ARM64 architecture. So far, Silver Sparrow’s binary code does not seem to do much, causing him to refer to the Red Canary as “audience binaries”.
The malware is distributed in two different packages: updater.pkg and update.pkg. Both use the same techniques for execution, the only difference is that the binary code is compiled. The binary file for Updater.pkg looks like a placeholder for other content. For now, running the script just displays the message: “Hello, World!” Similarly, running the binary for update.pkg will say “Done!” Displays your message.
Red Canary’s intelligence analyst Tony Lambert explained to TechRepublic that malware infects a machine through a specific process:
When you perform routine tasks such as viewing search engine results on the Internet, you will come across a page telling you to download an update. After downloading, you click on any alert and upload the downloaded PKG file. During installation, the malware creates a persistence mechanism that ensures it remains on the machine. After that, the scripts run periodically to check for any overhead.
Lambert added that Silver Sparrow is a potential threat because it allows the download and execution of arbitrary code without the user’s knowledge. This can include potential code from any URL. While Silver Sparrow seems harmless for now, the people behind it may be laying the groundwork for a malicious attack.
“The ultimate target of this malware is a mystery,” Red Canary said in the blog post. “If a payload has already been delivered and removed, or if the enemy has a future timeline for deployment, we have no way of knowing exactly which payload will be distributed by the malware. According to data shared with us by Malwarebytes, almost 30,000 affected hosts did not download the next or final payload. . ”
A company spokesperson told TechRepublic that Apple, aware of Silver Sparrow, is also taking steps to mitigate this. After discovering the malware, Apple revoked the certificates of developer accounts that signed the packages, which prevented new computers from being infected. Also, the company uses protection like the Apple notary service to detect and prevent malware from running on a machine.
Even under the protection of Apple, Red Canary advises users to run third-party antivirus or anti-malware products to support anti-malware protections in the operating system. At a more technical security or developer level, Red Canary also advises businesses to:
- Look for a process that appears to be executing PlistBuddy with a command line that includes: LaunchAgents and RunAtLoad and true. This analytics helps to find multiple macOS malware families that create LaunchAgent persistence.
- Look for a process that looks like sqlite3 executed with a command line containing LSQuarantine. This analytics helps find multiple macOS malware families that process or search for metadata for downloaded files.
- Look for a process that appears to be executing curl along with a command line that contains s3.amazonaws.com. This analytics helps find multiple macOS malware families that use S3 buckets for distribution.
Editor’s note: This article has been updated with additional comments.