Nearly 30,000 Macs in 153 countries have been infected with a new malware strain that security researchers are calling Silver Sparrow.
Discovered by researchers at Red Canary, the malware has been sitting on it hosts waiting for a payload that never arrived.
“Though we haven’t observed Silver Sparrow delivering additional malicious payloads yet, its forward-looking M1 chip compatibility, global reach, relatively high infection rate, and operational maturity suggest Silver Sparrow is a reasonably serious threat, uniquely positioned to deliver a potentially impactful payload at a moment’s notice,” Red Canary Intelligence Analyst Tony Lambert wrote in a company blog Thursday.
Although researchers at Malwarebytes have identified 29,139 macOS endpoints infected by Silver Sparrow, many more machines could be hit by the malicious software, maintained Tony Anscombe, chief security evangelist at Eset.
“Based on what was first seen, the malware may be more widespread than is called out in the disclosure,” he told TechNewsWorld. “The 30K number comes from a single security vendor as opposed to the entire macOS environment.”
However, Malwarebytes Director of Mac and Mobile Thomas Reed maintained the bad app may be coming to light as it’s about to go dark.
“This may be an infection that’s already run its course,” he told TechNewsWorld.
“There’s a file that triggers the malware to self-delete,” he explained. “That file is making up most of our detections at the moment. The creator seems to be sending the self-destruct command now.”
Blocked by Apple
In a statement provided to TechNewsWorld, Apple said that upon discovering the malware, it revoked the certificates of the developer accounts used to sign the packages, preventing new machines from being infected.
Apple also noted that there is no evidence to suggest the malware identified by the researchers has delivered a malicious payload to infected users.
It added that the company has a number of measures in place to provide a safe experience for its users, including technical mechanisms, such as the Apple notary service, to protect users by detecting malware and blocking it so it can’t run.
That service, though, has been less than perfect in the past, maintained Joshua A. Long, chief security analyst at Intego, maker of security and privacy software for Macs, in Austin, Texas.
“It is more significant that, according to our own research at Intego, this is at least the sixth major time that Apple’s notarization process has failed to detect malware families that have either been distributed in the wild or uploaded to VirusTotal,” he told TechNewsWorld.
“Notarization is specifically supposed to identify and block new malware before it can ever infect Macs,” he continued, “but Apple’s automated notarization process has repeatedly notarized dozens of malware samples that Apple has failed to detect as malicious.”
Poisoned Searches
How the infected machines came into contact with the malware is a mystery at the moment. “Malware researchers have not yet conclusively identified the exact delivery method,” Long said.
“One theory is that end-users may have encountered the malware via poisoned Google search results — search results leading to legitimate sites that have been compromised by a threat actor or malicious sites that rank highly for particular searches,” he added.
Another possibility is malicious browser extensions, Red Canary Director of Intelligence Katie Nickels noted during a live streaming session on Twitter on Monday.
Long added that there are two versions of the malware, also known as Slisp. One is compiled for Intel Macs. The other is a universal binary that runs on both Intel and ARM-based M1 machines.
“It’s worth noting, however, that M1 Macs can often run Mac malware compiled only for Intel, due to Apple’s Rosetta technology which enables Intel binaries to run on M1 Macs,” he added.
“We can expect that virtually all Mac malware from this point forward will be designed to run on both architectures,” he predicted.
Malware ARMs Race
Lambert agreed that Apple’s M1 architecture will be a future target of bad actors.
“The inclusion of a binary compiled for use on systems running Apple’s new M1 ARM processor is important, because it suggests that the developers of Silver Sparrow are thinking ahead rather than simply writing their malware to be compatible with those chipsets that currently have the largest share of the market,” he told TechNewsWorld.
Christopher Budd, senior global threat communications manager at Avast, of Prague in the Czech Republic, a maker of security software, including antivirus programs for the Mac, explained that malware authors are essentially business people. They adapt based on market trends.
“Making this malware functional on new M1 systems shows that these authors believe there is or will be enough of a market for that platform to make it worthwhile to devote resources to it,” he told TechNewsWorld.
“The fact that macOS malware and adware authors are compiling binaries for M1 was obvious, expected, and does not warrant the recent sensationalism,” added Eset Detection Engineer Michal Malik.
Novel Install
Targeting Apple’s ARM architecture isn’t the only way Silver Sparrow distinguishes itself from most Mac malware found in the wild.
“Most of the malware we observe for macOS systems ultimately delivers adware and related payloads,” Lambert explained.
“They tend to use preinstall, postinstall, or other shell scripts inside PKG and DMG installers,” he continued. “While we’ve seen legitimate software use the macOS Installer JavaScript API, it’s not something we’ve ever observed with macOS malware.”
Eset’s Anscombe noted that the persistence and unconventional method of installation are notable aspects of Silver Sparrow, but there are more dangerous malware samples already in the wild.
“The danger of this malware depends on the actions of the author to deliver a payload and it’s intent,” he said.
“There is also the risk that another bad actor could try and leverage the mechanism and take control of it,” he added.
Myth of the Invincible Mac
What can consumers do to protect themselves from Silver Sparrow? Lambert recommends turning to third-party protection.
“As a general rule, we typically recommend that users run third-party antivirus or antimalware products to supplement the existing antimalware protections maintained by operating system manufacturers,” he said.
“While we’re talking specifically about macOS in this case,” he continued. “this advice is just as applicable to Windows machines.”
That advice may be dubious to Mac owners who’ve been told their machines are immune from infections from malicious software.
“It’s not that difficult to infect a Mac,” Reed observed. “The only thing that has stood in the way in the past has been market share.”
“Why would you want to invest your time in creating malware for a system that has fairly low market share compared to Windows?” he asked. “But as Macs have increased their market share, they’ve become an increasingly popular target, especially because a lot of the people who have Macs are people who you would want to target, like CEOs and other well-paid professionals.”
Social Media
See all Social Media