Who’s faster? Apple's M1 Chip Challenged By Silver Sparrow Malware

Who’s faster? Apple’s M1 Chip Challenged By Silver Sparrow Malware

Silver Sparrow is a newly designed malware that includes a binary specifically designed to run on Apple’s new M1 chips.

The newest Mac processor from Apple has already felt pecking from Silver Sparrow, a Mac-specific binary targeting the ARM64 architecture used by Apple’s newest processors. 

Malwarebytes data showed Silver Sparrow had infected 29,000+ macOS endpoints in 153 countries, mostly in the United States, the United Kingdom, Canada, France, and Germany.  But the Red Canary researchers said Silver Sparrow had not released any malicious payloads yet. Even though, it can do so anytime at a moment’s notice. 

A new strain of macOS downloader was detected and analyzed by Red Canary detection engineers Wes Hurd and Jason Killam. 

The malware used a LaunchAgent to establish persistence and it was different from other known adware targeting macOS systems. The novelty was primarily in the way it used JavaScript for execution and its communication with a command-and-control infrastructure on AWS servers and Akamai’s CDN. 

Tony Lambert, an intelligence analyst at Red Canary, says “the malware has a greater chance of success on M1 systems due to the [relative lack of] availability of security tools for the new architecture.”

Silver Sparrow used an anti-detection approach that revolved around using JavaScript API to automate installation and persistence. Researchers have not seen this behavior in Mac malware before. Lambert says this is something that security software can miss.

Who’s faster? Apple's M1 Chip Challenged By Silver Sparrow Malware
Three JavaScript functions Silver Sparrow’s installer used

Red Canary notified Apple and Amazon of the new malware, and both companies have taken measures to prevent the execution of the binary.

“Thankfully, that risk is decreasing due to the response of Apple and Amazon… They both have internal processes to investigate and remove malicious use of their systems,” Lambert says. “That said, it’s still possible that versions of Silver Sparrow exist in the wild that no vendors have observed and that use different S3 instances or callback domains. Those users would definitely be at risk.”

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.