UPDATE 2/23: Following the discovery of this new strain of malware, Apple reacted yesterday by revoking the certificates of the developer accounts used to sign the packages. In so doing, it prevents new macOS machines from being infected. An Apple Spokesperson was also keen to point out "there is no evidence to suggest the malware they identified has delivered a malicious payload to infected users."
Original Story 2/22:
If a reminder were needed that no platform is safe from infection, a brand new strain of malware has been found hiding on 30,000 Macs waiting to be told what to do.
As Ars Technica reports, the new macOS malware was discovered by security vendor Red Canary, with the company naming this unusual strain "Silver Sparrow." Why is it unusual? As Red Canary's Tony Lambert explains, Silver Sparrow "did not exhibit the behaviors that we’ve come to expect from the usual adware that so often targets macOS systems. The novelty of this downloader arises primarily from the way it uses JavaScript for execution—something we hadn’t previously encountered in other macOS malware."
Silver Sparrow is also unusual because it's only the second known piece of malware capable of targeting Apple's new M1 ARM architecture Macs, and because it hasn't done anything yet. Macs located in 153 different countries are known to be infected, although the highest volumes are found in the United States, United Kingdom, Canada, France, and Germany.
Silver Sparrow is being taken very seriously because of how successful it has already been at quietly infecting over 30,000 Macs around the world, but also because the malware is using Amazon Web Services and Akamai for its command infrastructure. That means it could prove very difficult to take down.
For now, every Mac infected with Silver Sparrow communicates with a control server every hour to see if there's new commands to carry out. So far, none seem to have been issued. The researchers also discovered the malware includes the capability to remove itself from a system, meaning it could be used to execute a command then promptly disappear.
Lambert points to many intelligence gaps that need to be filled with regards to Silver Sparrow. "In addition, the ultimate goal of this malware is a mystery. We have no way of knowing with certainty what payload would be distributed by the malware, if a payload has already been delivered and removed, or if the adversary has a future timeline for distribution. Based on data shared with us by Malwarebytes, the nearly 30,000 affected hosts have not downloaded what would be the next or final payload."
Anyone wanting to check if their Mac is infected with Silver Sparrow can read through the "Indicators of Compromise" section of the Red Canary blog post for some pointers on what to look for.
Apple Fan?
Sign up for our Weekly Apple Brief for the latest news, reviews, tips, and more delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
Sign up for other newsletters
