Researchers can’t figure out what this malware that infects Macs actually does

A new strain of malware has infected Mac devices all over the world – especially in the United States and parts of Europe – although experts can’t decide where it came from or what it does.

The malicious program, discovered by Red Canary security cabinet and dubbed ‘Silver Sparrow’, infected 29,139 macOS endpoints in 153 countries, with the highest infection rates in US, UK, France, Germany, and Canada. The program is also one of the only a handful malware strains compatible with products powered by Apple’s new M1 chip.

The researchers describe “Sparrow” as a time bomb: the malware does not seem to have a specific function yet. Instead, it waits, checking hourly with a monitoring server to see if there are new commands to run on infected devices.

“After observing the malware for over a week, neither we nor our research partners observed a final payload, leaving the ultimate purpose of Silver Sparrow’s activity a mystery,” writes Tony Lambert of Red Canary. . “We have no way of knowing for sure what payload would be distributed by the malware, if a payload has already been delivered and removed, or if the adversary has a future distribution schedule.” Researchers also don’t know how the devices were infected.

More troubling still, “Sparrow” seems designed to erase from the computer once it has delivered its payload. The program “includes a file check that causes removal of all persistence mechanisms and scripts” that “removes all of its endpoint components,” Lambert said. Ars Technica writes that such capabilities are typically found in “high stealth operations”, that is, intrusion campaigns of a clandestine nature.

Two different strains of malware has been discovered. You can take a look at a technical breakdown of the two versions and how they work below:

While researchers are ultimately puzzled as to why the malware exists, they said that it represents a credible danger to infected systems.

“While we have yet to observe Silver Sparrow delivering additional malicious payloads, its compatibility with forward-looking M1 chips, global reach, relatively high infection rate, and operational maturity suggest that Silver Sparrow is a reasonably serious threat, uniquely positioned to deliver potentially payload impact at all times, ”Lambert said.

Apple appears to have stepped in to stop the malware from spreading. The company told MacRumors that it revoked the certificates of the developer accounts used to sign the packages related to “Sparrow”, which should prevent any other Mac from being infected.

Nevertheless, if you are worried that your device is compromised, you can check the list of indicators provided by Red Canary.