Mysterious malware infecting Apple Silicon Macs has no payload yet

It looks like there may be more malware aimed at Apple’s M1-based Macs than previously thought. Following the first reports of the first M1 malware found in the wild, it appears that there are more malware infections, but of a particularly toothless variety.

In early February, researchers at Red Canary discovered a strain of macOS malware that used LaunchAgent to make its presence known, as did some other forms of malware. What interested the researchers was that the malware behaved differently from regular adware, due to the way it used JavaScript for execution.

The malware cluster, named by researchers as “Silver Sparrow”, also involved a binary compiled to work with M1 chips. This made it malicious software that would potentially target Apple Silicon Macs.

Further research by researchers at VMware Carbon Black and Malwarebytes determined that Silver Sparrow was likely a “previously undetected strain of malware”. As of February 17, it had been detected in 29,139 macOS endpoints in 153 countries, with the bulk of infections residing in the United States, United Kingdom, Canada, France and Germany.

At the time of publication, the malware has not been used to deliver malicious payload to victimized Macs, although that may change in the future. Due to compatibility with M1, the “relatively high infection rate” and operational maturity of the malware, it was considered a sufficiently serious threat that is “uniquely positioned to deliver a potentially impactful payload to any time ”, prompting public disclosure.

Two versions of the malware were discovered, with the payload of one version consisting of a binary affecting only Intel Macs, while the other was a binary compiled for Intel and M1 architectures. The payload is apparently a placeholder, as the first version opens a window that literally says “Hello, World!” and the second says “You did it!”

If it was malicious malware, the payload could potentially allow the same or similar payload instructions to affect both architectures from a single executable.

The malware mechanism worked around files titled “update.pkg” and “updater.pkg”, taking cover of installers. They take advantage of the macOS installer JavaScript API to execute suspicious commands.

This is behavior that is sometimes seen with legitimate software and not with malware, which typically uses pre-install or post-install scripts for command execution.

Upon successful completion, the infection attempts to verify a specific URL for a downloadable file, which might contain additional instructions or a final payload. A week of malware monitoring resulted in no final visible payload, which may change further in the future.

There are still many unanswered questions for researchers about Silver Sparrow. These include where the original PKG files were used to infect systems and pieces of malware code that appear to be part of a larger tool set.

“The ultimate purpose of this malware is a mystery,” admits Red Canary. “We have no way of knowing for sure what payload would be distributed by the malware, if a payload has already been delivered and removed, or if the adversary has a future distribution schedule.”

There’s also the issue of including “Hello World” executables, as the binary will only work if a victim actively searched for it and executed it, rather than automatically executing. The executables suggest that it could be malware in development or that a set of applications was needed to make the malware appear legitimate to other parties.