A second malware that targets Macs with Apple’s in-house M1 chip is infecting machines worldwide — but it’s unclear why.
Hard on the heels of a macOS adware being recompiled to target Apple’s new in-house processor, researchers have discovered a brand-new family of malware targeting the platform.
Curiously, in the samples seen so far by analysts at Red Canary, the malware (dubbed Silver Sparrow) has been executing on victim machines with the final payload yet to be determined. It appears to be lying in wait for further instructions, which is worrying because it’s clear that the authors are advanced and sophisticated adversaries, researchers said.
Click to Register
Silver Sparrow has taken flight in any event: As of February 17, this fresh entry to the malware scene had already infected 29,139 macOS endpoints across 153 countries, according to researchers – primarily in Canada, France, Germany, the United Kingdom and the United States.
A Word About the Benefits of the Mac M1
Apple released the M1 system-on-a-chip (SoC) last fall, marking the first time that the tech giant has created its own desktop/laptop silicon. The pivot from the Intel chips that Macs used before comes with a few benefits, such as faster performance for native applications. It also integrates a graphics processor, a machine-learning neural engine and the company’s T2 security chip. And, it uses ARM architecture, which usually powers mobile or portable devices. The smaller ARM profile translates into lower power consumption, and, Apple says, double the battery life.
With new Macs starting to roll out, cybercriminals are now turning their attention to these M1-powered targets, as evidenced by the emergence of a rebooted
“Pirrit” adware detailed by Patrick Wardle this week. And now, the Silver Sparrow malware family has appeared on the scene – a brand-new malware built for the Mac M1 ecosystem, researchers said.
Silver Sparrow Leaves the Nest
Silver Sparrow is very likely an adware, according to researchers at Red Canary. It has two versions – one that targets Intel-based Macs, and one that is built to infect both the older and M1-based devices. Most notably, it uses JavaScript for execution – a rarity in the macOS malware world.
“Though we haven’t observed Silver Sparrow delivering additional malicious payloads yet, its forward-looking M1 chip compatibility, global reach, relatively high infection rate and operational maturity suggest Silver Sparrow is a reasonably serious threat, uniquely positioned to deliver a potentially impactful payload at a moment’s notice,” researchers said
in a posting on Thursday.
It’s unclear how the malware is spreading – though both binaries have “package” in their names, lending a clue. Researchers noted, “We’ve found that many macOS threats are distributed through malicious advertisements as single, self-contained installers in PKG or DMG form, masquerading as [updates for a legitimate application]”—such as Adobe Flash Player, as an example.
Cloud-Hosted Infrastructure
Silver Sparrow’s infrastructure is hosted on Amazon Web Services S3 cloud platform, according to Red Canary. And, the callback domains it uses are hosted through Akamai’s content delivery network (CDN).
“This implies that the adversary likely understands…this hosting choice allows them to blend in with the normal overhead of cloud infrastructure traffic,” researchers noted. “Most organizations cannot afford to block access to resources in AWS and Akamai. The decision to use AWS infrastructure further supports our assessment that this is an operationally mature adversary.”
JavaScript-Based Malware Development
Other signs of sophistication are evident in the malware’s construction. For instance, to start its installation, Silver Sparrow uses the macOS Installer JavaScript API to execute suspicious commands, the analysis found. That’s an unusual approach, according to Red Canary.
“While we’ve observed legitimate software doing this, this is the first instance we’ve observed it in malware,” researchers said. “This is a deviation from behavior we usually observe in malicious macOS installers, which generally use preinstall or postinstall scripts to execute commands.”
Using malicious JavaScript commands and the legitimate macOS Installer process has the benefit of limiting visibility into the contents of the installation package, the firm added.
Once installed, Silver Sparrow uses Apple’s system.run command for execution.
“Apple documented the system.run code as launching ‘a given program in the Resources directory of the installation package,’ but it’s not limited to using the Resources directory,” researchers explained. “As observed with Silver Sparrow, you can provide the full path to a process for execution and its arguments. By taking this route, the malware causes the installer to spawn multiple bash processes that it can then use to accomplish its objectives.”
This gives the developers a lot of flexibility when it comes to evolving the malware over time, researchers said. The bash commands can be extended with arguments that write input to files on disk, which are written out line-by-line with JavaScript commands. This is a choice that will let the adversary quickly modify the code and ease development, according to Red Canary – and, it helps the malware to avoid simple static antivirus signatures by dynamically generating the script rather than using a static script file.
Once fully executed, Silver Sparrow leaves two scripts on an infected disk: /tmp/agent.sh and ~/Library/Application Support/verx_updater/verx.sh.
The agent.sh script executes immediately at the end of the installation to contact the command-and-control (C2) server to indicate that installation has successfully occurred. The verx.sh script meanwhile executes periodically, using a persistent LaunchAgent to contact a remote host for more information, including to check for additional content to download and execute.
“LaunchAgents provide a way to instruct launchd, the macOS initialization system, to periodically or automatically execute tasks,” researchers explained. “Every hour, the persistence LaunchAgent tells launchd to execute a shell script that downloads a JSON file to disk, converts it into a plist, and uses its properties to determine further actions.”
A Mystery End Goal: Mac Adware?
In observing the malware’s check-ins to the C2 for over a week, none of the nearly 30,000 affected hosts downloaded what would be the next or final payload. This would presumably be a component that would carry out malicious actions like data exfiltration, cryptomining, ransomware, adware or DDoS bot enslavement, to name a few possibilities.
In other words, Silver Sparrow’s wings are clipped, for now.
“The ultimate goal of this malware is a mystery,” researchers said. “We have no way of knowing with certainty what payload would be distributed by the malware, if a payload has already been delivered and removed, or if the adversary has a future timeline for distribution.”
A clue as to what its developers may be going for exists at the end of the installation routine, researchers noticed.
“At the end of the installation, Silver Sparrow executes two discovery commands to construct data for a curl HTTP POST request indicating that the installation occurred. One retrieves…the URL used to download the original package file,” they explained. “By executing a sqlite3 query, the malware finds the original URL the .PKG downloaded from, giving the adversary an idea of successful distribution channels. We commonly see this kind of activity with malicious adware on macOS.”
Odd Placeholder Binaries
Silver Sparrow contains a further mystery in the form of placeholder binaries.
Both versions of Silver Sparrow have an extraneous Mach-O binary that appears to play no additional role in their execution.
“Ultimately this binary seems to have been included as placeholder content to give the PKG something to distribute outside the JavaScript execution,” analysts noted.
The Intel-only version simply says, “Hello, World!”; and the M1-compatible sample displays the message “You did it!”
“Based on the data from script execution, the binary would only run if a victim intentionally sought it out and launched it. The messages we observed of ‘Hello, World!’ or ‘You did it!’ could indicate the threat is under development in a proof-of-concept stage or that the adversary just needed an application bundle to make the package look legitimate,” Red Canary concluded.
The callback domain for the M1 version of Silver Sparrow was created Dec. 5, shortly after the SoC launched. In all, having two different malwares – Wardle’s discovery and Silver Sparrow – circulating already for what remains a limited platform is a notable development, researchers said. And Apple is already planning M1’s successor,
the M1x chip, so the development work necessary to target this platform is far from finished. Is it worth malware authors’ time?
That remains to be seen, but “this is significant because the M1 ARM64 architecture is young, and researchers have uncovered very few threats for the new platform,” researchers noted.