Mac M1 targeted with additional malware, exact threat remains a mystery

The second known piece of malware that was compiled to run natively on M1 Macs was discovered by security firm Red Canary.

Given the name “Silver Sparrow”, the malicious package is believed to take advantage of the JavaScript API of the macOS installer to execute suspicious commands. However, after observing the malware for over a week, neither Red Canary nor its research partners observed any final payload, so the exact threat posed by the malware remains a mystery.

Nonetheless, Red Canary said the malware could be “a reasonably serious threat”:

While we have yet to observe Silver Sparrow delivering additional malicious payloads, its compatibility with the forward-looking M1 chip, global reach, relatively high infection rate, and operational maturity suggest that Silver Sparrow is a reasonably serious threat, uniquely positioned to deliver a potentially impacting payload. at a moment’s notice.

According to data provided by Malwarebytes, “Silver Sparrow” had infected 29,139 macOS systems in 153 countries as of February 17, including “high volumes of detection in the US, UK, Canada, France and Germany. “. Red Canary did not specify how many of those systems were M1 Macs, if any.

Since the “Silver Sparrow” binaries “don’t seem to be doing much yet,” Red Canary called them “spectator binaries”. When run on Macs equipped with Intel, the malicious package simply displays a blank window with a “Hello, World!” message, while the Apple silicon binary leads to a red window that says “You did it!”

Red Canary shared methods for detecting a wide range of macOS threats, but the steps are not specific to detecting “Silver Sparrow”:

– Look for a process that appears to be PlistBuddy running in conjunction with a command line containing the following: LaunchAgents and RunAtLoad and true. This analysis helps us find several families of macOS malware that establishes the persistence of LaunchAgent.
– Look for a process that appears to be running sqlite3 in conjunction with a
command line containing: LSQuarantine. This scan helps us find several families of macOS malware that manipulates or searches for metadata for downloaded files.
– Look for a process that appears to be running in conjunction with a command line containing: s3.amazonaws.com. This scan helps us find multiple families of macOS malware using S3 buckets for distribution.

The first malware capable of running natively on M1 Macs was discovered just a few days ago. Technical details on this second malware can be found in the Red Canary blog post, and Ars Technica also has a good explanatory note.