For decades it has insisted that Macs are free from the corruption of malware and yet here was one which appears to have made specifically for Apple users.
The malware has been found in 153 countries with detections concentrated in the US, UK, Canada, France, and Germany.
This bash shell is then used to invoke macOS's built-in PlistBuddy tool to create a LaunchAgent which executes a bash script every hour. This is the command-and-control process, which downloads a JSON file containing (potentially) new instructions.
Silver Sparrow has a single, tiny binary as its payload that does nothing but open a window reading "Hello, World!" (in v1, which targets Intel Macs) or "You did it!" (in v2, which is an M1-compatible fat binary). These "bystander binaries" are never executed and appear to be proofs-of-concept or placeholders for future functionality.
Once an hour, infected Macs check a control server to see if there are any new commands the malware should run or binaries to execute. So far, however, researchers have yet to observe delivery of any payload on any of the infected 30,000 machines, leaving the malware's goal unknown. The lack of a final payload suggests that the malware may spring into action once an unknown condition is met.
The malware comes with a mechanism to completely remove itself, a capability that's typically reserved for high-stealth operations. So far, though, there are no signs the self-destruct feature has been used, raising the question why it is there.
To make matters worse the malware runs natively on the M1 chip that Apple introduced in November, making it only the second known piece of macOS malware to do so.