Security researchers at Malwarebytes and Red Canary discovered a mysterious piece of malware hiding on nearly 30,000 Macs, one designed to deliver an as-yet-unknown payload, and with a self-destruction mechanism that might remove any trace that it ever existed.
Once an hour, infected Macs check a control server to see if there are any new commands the malware should run or binaries to execute. So far, however, researchers have yet to observe delivery of any payload on any of the infected 30,000 machines, leaving the malware’s ultimate goal unknown. The lack of a final payload suggests that the malware may spring into action once an unknown condition is met.
The malware is notable for a version that runs natively on the M1 chip that Apple introduced in November, making it only the second known piece of macOS malware to do so.
Despite the missing payload, Silver Sparrow's forward-looking M1 chip compatibility, global reach, relatively high infection rate, and operational maturity suggest Silver Sparrow is a reasonably serious threat.
— Red Canary (@redcanary) February 19, 2021
The malicious binary is more mysterious still because it uses the macOS Installer JavaScript API to execute commands. That makes it hard to analyze installation package contents or the way that package uses the JavaScript commands. Researchers from Red Canary, the security firm that discovered the malware, are calling the malware Silver Sparrow.
The malware has been found in 153 countries with detections concentrated in the US, UK, Canada, France, and Germany. Its use of Amazon Web Services and the Akamai content delivery network ensures the command infrastructure works reliably and also makes blocking the servers harder.
