Silver Sparrow is a newly designed malware that includes a binary specifically designed to run on Apple’s new M1 chips.
The newest Mac processor from Apple has already felt pecking from Silver Sparrow, a Mac-specific binary targeting the ARM64 architecture used by Apple’s newest processors.
Malwarebytes data showed Silver Sparrow had infected 29,000+ macOS endpoints in 153 countries, mostly in the United States, the United Kingdom, Canada, France, and Germany. But the Red Canary researchers said Silver Sparrow had not released any malicious payloads yet. Even though, it can do so anytime at a moment’s notice.
A new strain of macOS downloader was detected and analyzed by Red Canary detection engineers Wes Hurd and Jason Killam.
The malware used a LaunchAgent to establish persistence and it was different from other known adware targeting macOS systems. The novelty was primarily in the way it used JavaScript for execution and its communication with a command-and-control infrastructure on AWS servers and Akamai’s CDN.
Tony Lambert, an intelligence analyst at Red Canary, says “the malware has a greater chance of success on M1 systems due to the [relative lack of] availability of security tools for the new architecture.”
Silver Sparrow used an anti-detection approach that revolved around using JavaScript API to automate installation and persistence. Researchers have not seen this behavior in Mac malware before. Lambert says this is something that security software can miss.
Red Canary notified Apple and Amazon of the new malware, and both companies have taken measures to prevent the execution of the binary.
“Thankfully, that risk is decreasing due to the response of Apple and Amazon… They both have internal processes to investigate and remove malicious use of their systems,” Lambert says. “That said, it’s still possible that versions of Silver Sparrow exist in the wild that no vendors have observed and that use different S3 instances or callback domains. Those users would definitely be at risk.”
