Security researchers have discovered a previously undetected malware that was found in about 30,000 Macs running Intel x86_64 and the Apple’s M1 processors.
Cybersecurity firm Red Canary said that two versions of the malware which has been named “Silver Sparrow,” were identified. One compiled only for Intel x86_64 and uploaded to VirusTotal on August 31, 2020 (version 1), while a second variant submitted to the database on January 22 which is compatible with both Intel x86_64 and M1 ARM64 architectures (version 2).
The x86_64 binary, on execution shows the message “Hello, World!” and the M1 binary reads “You did it!”
Tony Lambert of Red Canary said that the Mach-O compiled binaries don’t seem to do all that much and so are called ‘bystander binaries.’
It is not known what payload would be distributed by the malware, if a payload has already been delivered and removed, or if the adversary has a future timeline for distribution.
The infected 29,139 macOS endpoints are located across 153 countries mostly detected in the U.S., the U.K., Canada, France, and Germany.
While “agent.sh” executes immediately at the end of the installation to inform an AWS command-and-control (C2) server of a successful installation, “verx.sh” runs once every hour, contacting the C2 server for additional content to download and execute.
The malware also has the capability to completely erase its presence from the compromised host.
In response to the findings, Apple has revoked the binaries that were signed with the Apple Developer ID’s Saotia Seay (v1) and Julie Willey (v2), thus preventing further installations.
Lambert added that even though they haven’t found Silver Sparrow delivering additional malicious payloads so far, its forward-looking M1 chip compatibility, global reach, relatively high infection rate, and operational maturity suggest Silver Sparrow is a serious threat that could deliver a potentially impactful payload at any time.
Image Credits : Patently Apple