Published in News

Mysterious malware hits 30,000 Macs

by on22 February 2021


Crisis of faith

A piece of malware has been found on almost 30,000 Macs worldwide and apparently it has baffled the Tame Apple Press.

For decades it has insisted that Macs are free from the corruption of malware and yet here was one which appears to have made specifically for Apple users.

The malware has been found in 153 countries with detections concentrated in the US, UK, Canada, France, and Germany.

Red Canary, the security firm that discovered the malware, has named it "Silver Sparrow."  It uses the macOS Installer Javascript API to launch a bash process to gain a foothold into the user's system, a hitherto unobserved method for bypassing malware detection.

This bash shell is then used to invoke macOS's built-in PlistBuddy tool to create a LaunchAgent which executes a bash script every hour. This is the command-and-control process, which downloads a JSON file containing (potentially) new instructions.

Silver Sparrow has a single, tiny binary as its payload that does nothing but open a window reading "Hello, World!" (in v1, which targets Intel Macs) or "You did it!" (in v2, which is an M1-compatible fat binary). These "bystander binaries" are never executed and appear to be proofs-of-concept or placeholders for future functionality.

Once an hour, infected Macs check a control server to see if there are any new commands the malware should run or binaries to execute. So far, however, researchers have yet to observe delivery of any payload on any of the infected 30,000 machines, leaving the malware's goal unknown. The lack of a final payload suggests that the malware may spring into action once an unknown condition is met.

The malware comes with a mechanism to completely remove itself, a capability that's typically reserved for high-stealth operations. So far, though, there are no signs the self-destruct feature has been used, raising the question why it is there.

To make matters worse the malware runs natively on the M1 chip that Apple introduced in November, making it only the second known piece of macOS malware to do so.

 

Last modified on 22 February 2021
Rate this item
(2 votes)