30,000 Macs are at threat from mysterious malware


Protect Your Access to the Internet

News of Macs getting infected with malware is relatively uncommon. However, a new threat that has currently infected almost 30,000 Mac devices has security researchers worried due to its sophisticated nature and lack of available information.

A keyboard key with a black logo containing a skull and two intertwined swords

Researchers at Red Canary have discovered a new strain of macOS malware which they have dubbed “Silver Sparrow”. The malware is strange in numerous ways, with the major one being that it has remained mostly dormant so far. Despite the fact that it communicates with control servers once an hour awaiting potentially malicious binaries to execute, it has deployed no malicious payload as of yet.

Furthermore, apart from the Intel x86_64 variant, it also has an Apple M1 counterpart. Both variants also contain “bystander binaries”, which when executed print “Hello World!” on the former’s screen and “You did it!” on the Apple M1.

While have these messages printed on the display isn’t a major concern on its own, it clearly points to a bigger issue where these placeholder binaries eventually start executing malicious payload they receive from the control servers. Red Canary highlighted that the complex infrastructure efficiently makes use of AWS and Akamai CDNs, making it very difficult to track and take down.

Another concerning fact about Silver Sparrow is that it contains self-destruct mechanisms which remove all traces of the malware from infected devices. What’s even more mysterious is that this mechanism hasn’t been observed by default on infected machines, which means that it was downloaded ad hoc based on meeting currently unknown conditions.

Furthermore, the distribution techniques of Silver Sparrow are unknown as well. Red Canary researchers stated that:

At the time of publishing, we’ve identified a few unknown factors related to Silver Sparrow that we either don’t have visibility into or simply enough time hasn’t passed to observe. First, we aren’t certain of the initial distribution method for the PKG files. We suspect that malicious search engine results direct victims to download the PKGs based on network connections from a victim’s browser shortly before download. In…