A 2nd malware that targets Macs with Apple’s in-house M1 chip is infecting machines worldwide — but it is unclear why.
After macOS adware being recompiled to target Apple’s new in-house processor, researchers have discovered a brand-new family of malware targeting the platform.
Curiously, in the samples seen so far by analysts at Red Canary, the malware (dubbed Silver Sparrow) has been executing on victim machines with the final payload yet to be determined.
It appears to be lying in wait for further instructions, which is worrying because it is clear that the authors are advanced & sophisticated adversaries, researchers commented.
Silver Sparrow has ‘taken flight’ : As of Feb. 17, this fresh entry to the malware scene had already infected 29,139 macOS endpoints across 153 countries, according to researchers – primarily in Canada, France, Germany, the UK & the US.
Benefits of the Mac M1
Apple released the M1 system-on-a-chip (SoC) last fall, marking the first time that the tech giant has created its own desktop/laptop silicon. The pivot from the Intel chips that Macs used before comes with a few benefits, such as faster performance for native applications.
It also integrates a graphics processor, a machine-learning neural engine & the company’s T2 security chip. It uses ARM architecture, which usually powers mobile or portable devices. The smaller ARM profile translates into lower power consumption, &, Apple says, double the battery life.
With new Macs starting to roll out, cyber-criminals are now looking to these M1-powered targets, as evidenced by the emergence of a rebooted “Pirrit” adware detailed by Patrick Wardle this week.
Now, the Silver Sparrow malware family has appeared – a brand-new malware built for the Mac M1 eco-system, researchers explained.
Silver Sparrow Flies its Nest
“Though we haven’t observed Silver Sparrow delivering additional malicious payloads yet, its forward-looking M1 chip compatibility, global reach, relatively high infection rate & operational maturity suggest Silver Sparrow is a reasonably serious threat, uniquely positioned to deliver a potentially impactful payload at a moment’s notice,” researchers stated in a posting on Thurs.
It is unclear how the malware is spreading – though both binaries have “package” in their names, lending a clue.
Researchers noted, “We’ve found that many macOS threats are distributed through malicious advertisements as single, self-contained installers in PKG or DMG form, masquerading as updates for a legitimate application”—such as Adobe Flash Player, as an example.
Silver Sparrow’s infrastructure is hosted on Amazon Web Services S3 cloud platform, according to Red Canary. The call-back domains it uses are hosted through Akamai’s content delivery network (CDN).
“This implies that the adversary likely understands…this hosting choice allows them to blend in with the normal overhead of cloud infrastructure traffic,” researchers noted. “Most organisations cannot afford to block access to resources in AWS & Akamai. The decision to use AWS infrastructure further supports our assessment that this is an operationally mature adversary.”
“While we’ve observed legitimate software doing this, this is the first instance we’ve observed it in malware,” researchers stated. “This is a deviation from behaviour we usually observe in malicious macOS installers, which generally use preinstall or postinstall scripts to execute commands.”
Command for Execution
Once installed, Silver Sparrow uses Apple’s system.run command for execution.
“Apple documented the system.run code as launching ‘a given program in the Resources directory of the installation package,’ but it’s not limited to using the Resources directory,” researchers explained.
“As observed with Silver Sparrow, you can provide the full path to a process for execution & its arguments. By taking this route, the malware causes the installer to spawn multiple bash processes that it can then use to accomplish its objectives.”
Static Antivirus Signatures
This is a choice that will let the adversary quickly modify the code & ease development, according to Red Canary – & it helps the malware to avoid simple static antivirus signatures by dynamically generating the script rather than using a static script file.
Once fully executed, Silver Sparrow leaves 2 scripts on an infected disk: /tmp/agent.sh & ~/Library/Application Support/verx_updater/verx.sh.
The agent.sh script executes immediately at the end of the installation to contact the command-&-control (C2) server to indicate that installation has successfully occurred.
The verx.sh script meanwhile executes periodically, using a persistent LaunchAgent to contact a remote host for more information, including to check for additional content to download & execute.
“LaunchAgents provide a way to instruct launched, the macOS initialization system, to periodically or automatically execute tasks,” researchers explained. “Every hour, the persistence LaunchAgent tells launched to execute a shell script that downloads a JSON file to disk, converts it into a plist, & uses its properties to determine further actions.”
In observing the malware’s check-ins to the C2 for over a week, none of the nearly 30,000 affected hosts downloaded what would be the next or final payload.
This would presumably be a component that would carry out malicious actions like data exfiltration, crypto-mining, ransomware, adware, or DDoS bot enslavement, to name a few possibilities.
In other words, Silver Sparrow’s wings seem ‘clipped’, so far.
Mystery End Goal
“The ultimate goal of this malware is a mystery,” researchers stated. “We have no way of knowing with certainty what payload would be distributed by the malware, if a payload has already been delivered & removed, or if the adversary has a future timeline for distribution.”
A clue as to what its developers may be going for exists at the end of the installation routine, researchers noticed.
“At the end of the installation, Silver Sparrow executes 2 discovery commands to construct data for a curl HTTP POST request indicating that the installation occurred. One retrieves…the URL used to download the original package file,” they explained.
“By executing a sqlite3 query, the malware finds the original URL the .PKG downloaded from, giving the adversary an idea of successful distribution channels. We commonly see this kind of activity with malicious adware on macOS.”
Silver Sparrow contains a further mystery in the form of placeholder binaries.
Both versions of Silver Sparrow have an extraneous Mach-O binary that appears to play no additional role in their execution.
The Intel-only version simply says, “Hello, World!”; & the M1-compatible sample displays the message “You did it!”
“Based on the data from script execution, the binary would only run if a victim intentionally sought it out & launched it. The messages we observed of ‘Hello, World!’ or ‘You did it!’ could indicate the threat is under development in a proof-of-concept stage or that the adversary just needed an application bundle to make the package look legitimate,” Red Canary concluded.
The call-back domain for the M1 version of Silver Sparrow was created Dec. 5, shortly after the SoC launched. In all, having 2 different malwares – Wardle’s discovery & Silver Sparrow – circulating already for what remains a limited platform is a notable development, researchers suggested.
Apple is already planning M1’s successor, the M1x chip, so the development work necessary to target this platform is far from finished. Is it worth malware authors’ time?
That remains to be seen, but “this is significant because the M1 ARM64 architecture is young, and researchers have uncovered very few threats for the new platform,” researchers noted.