This article is more than 1 year old

Malware monsters target Apple’s M1 silicon with ‘Silver Sparrow’

Behaves like a legit software installer and phones home for instructions, but lacks a payload

US security consultancy Red Canary says it’s found MacOS malware written specifically for the shiny new M1 silicon that Apple created to power its post-Intel Macs.

Red Canary has named the malware “Silver Sparrow” and says it had found its way onto almost 30,000 MacOS devices as of February 17th.

Red Canary’s post says it has analysed two samples of the malware, one targeting x86 and the other targeting X86 and Apple’s own M1 silicon. The form says both samples “leverage the macOS Installer JavaScript API to execute suspicious commands.” That’s not unusual behaviour for a legitimate software installer package, but Red Canary says it’s not spotted it in malware before.

Once the scripts run, a Mac will have two new and nasty files one of which phones home to the malware’s authors to report it was installed.

A chart in LibreOffice Calc 7.1

LibreOffice 7.1 Community released with support for M1 Arm Mac and 'user interface variants'

READ MORE

The other script is driven by a persistent LaunchAgent that runs it hourly to connect with a server and request more information from whoever controls the malware.

Red Canary says that hourly request “tells launchd to execute a shell script that downloads a JSON file to disk, converts it into a plist, and uses its properties to determine further actions.”

The firm’s researchers ran the malware for a week and never saw that request result in a download, leading them to suggest the malware currently lacks a payload.

How the malware is distributed remains a mystery, but Red Canary’s researchers have divined that it uses resources in AWS and Akamai’s content distribution network. The firms suggests Silver Sparrow’s authors therefore appear to have a decent understanding of how working in a public cloud and CDN makes it harder to defend against malware because organisations often have very good reasons to welcome traffic from large public clouds. ®

More about

TIP US OFF

Send us news


Other stories you might like