When Apple launched the M1 processor for a new generation of MacBook’s last year, it was billed as a game changing SoC. Apple’s first proprietary chipset for macOS devices, and also its first ARM processor. However, the new platform also presents a new canvas for threat actors to target.
Some have been successful according to security researchers, with a new family of malware found hiding on macOS. Security firm Red Canary says a malware it calls Silver Sparrow is on around 30,000 MacBook’s running the M1 processor.
Samples execute on the victim device, but researchers have yet to understand how the payload is initiated. Instead, it seems the malware is somewhat dormant and waiting for more instructions. The security team points out this is a problem and points to the high sophistication of the attack.
Hard on the heels of a macOS adware being recompiled to target Apple’s new in-house processor, researchers have discovered a brand-new family of malware targeting the platform.
With 29,139 confirmed infections in 153 countries, this is clear a global problem for all macOS users running new hardware. As you may expect, the majority of cases have been found in the United States, United Kingdom, France, Canada, and Germany.
What Is Silver Sparrow?
Red Canary points out the exact nature of Silver Sparrow remains unknown, although it is likely an adware infiltration. There are two versions targeting macOS, the version found on M1 machines and another hiding in Intel-based Macs.
Silver Sparrow uses JavaScript to execute on machines. That’s somewhat surprising because JavaScript is not common on macOS:
“Though we haven’t observed Silver Sparrow delivering additional malicious payloads yet, its forward-looking M1 chip compatibility, global reach, relatively high infection rate and operational maturity suggest Silver Sparrow is a reasonably serious threat, uniquely positioned to deliver a potentially impactful payload at a moment’s notice,” researchers said in a posting.
It is still not known how Silver Sparrow spreads, but some things are known. For example, the infrastructure for the malware is hosted on Amazon Web Services (AWS) S3. Callback domains are being hosted on Akami’s CDN platform. Researchers say this likely means the threat actors are sophisticated:
“This implies that the adversary likely understands…this hosting choice allows them to blend in with the normal overhead of cloud infrastructure traffic. Most organizations cannot afford to block access to resources in AWS and Akamai. The decision to use AWS infrastructure further supports our assessment that this is an operationally mature adversary.”
What’s It For?
What the end version of Silver Sparrow will do remains to be seen. Researchers are unsure what the final payload is, despite monitoring the malware for over two weeks.
“The ultimate goal of this malware is a mystery,” researchers add. “We have no way of knowing with certainty what payload would be distributed by the malware, if a payload has already been delivered and removed, or if the adversary has a future timeline for distribution.”
Tip of the day:
Do you know that Windows 10 allows creating PDFs from basically any app with printing support? In our tutorial, we show you how this works via Microsoft Print to PDF and Bullzip PDF Printer to save a PDF from any app, even with advanced options like adjusted quality, multi-page printing, and password protection.
