The second known piece of malware compiled to run natively on M1 Macs was discovered by security firm Red Canary.
/article-new/2021/02/m1-mac-mini-screen.jpg?resize=560%2C315&ssl=1)
Given the name “Silver Sparrow”, the malicious package would use the macOS Installer JavaScript API to execute suspicious commands. After observing the malware for over a week, neither Red Canary nor its research partners have seen a final payload, so the exact threat posed by the malware remains a mystery.
Nevertheless, Red Canary said the malware could be “a fairly serious threat”:
While we have seen that Silver Sparrow does not deliver additional malicious payloads yet, its forward-looking M1 chip compatibility, global reach, relatively high infection rate and operational maturity suggest that Silver Sparrow is a fairly serious threat, uniquely positioned to be a potentially impactful deliver cargo. right away.
According to data from Malwarebytes, “Silver Sparrow” had infected 29,139 macOS systems in 153 countries on Feb. 17, including “large detection volumes in the United States, United Kingdom, Canada, France and Germany”. Red Canary did not specify how many of these systems were M1 Macs, if any.
Since the “Silver Sparrow” binaries “don’t seem to be doing that much yet,” Red Canary called them “bystander binaries”. When run on Intel-based Macs, the malicious package simply displays an empty window with a “Hello, world!” message, while the Apple silicon binary file leads to a red window that says “You did it!”
/article-new/2021/02/you-did-it-silver-sparrow.png?resize=560%2C394&ssl=1)
Red Canary has shared methods for detecting a wide variety of macOS threats, but the steps are not specific for detecting “Silver Sparrow”:
– Look for a process that appears to be running PlistBuddy in conjunction with a command line that contains: LaunchAgents and RunAtLoad and true. This analysis helps us find multiple macOS malware families that establish LaunchAgent persistence.
– Look for a process that appears to be running sqlite3 in conjunction with a
command line containing: LSQuarantine. This analysis helps us find multiple macOS malware families that manipulate or search metadata for downloaded files.
– Look for a process that appears to be running curl in conjunction with a command line containing the following: s3.amazonaws.com. This analysis helps us find multiple macOS malware families that use S3 buckets for distribution.
The first piece of malware that can run natively on M1 Macs was only discovered a few days ago. Technical details about this second piece of malware can be found in Red Canary’s blog post, en Ars Technica also has a good explanation.