Mysterious malware infecting Apple Silicon Macs has no payload – yet


Protect Your Access to the Internet

More malware affecting Apple Silicon Macs has been uncovered, but researchers have spotted that it is lacking a malicious payload, for the moment.

It seems that there may be more malware aimed at Apple’s M1-based Macs than previously thought. Following the initial reports of the first M1 malware found in the wild, it seems that there are more infections of malware, but of a particularly toothless variety.

Early in February, researchers from Red Canary discovered a strain of macOS malware that used LaunchAgent to make its presence, much like some other forms of malware. What was of interest to the researchers was that the malware behaved differently from typical adware, due to how it used JavaScript for execution.

The malware cluster, named by the researchers as “Silver Sparrow,” also involved a binary compiled to work with M1 chips. This made it malware that would potentially target Apple Silicon Macs.

Further research from researchers at VMware Carbon Black and Malwarebytes determined it was likely that Silver Sparrow was a “previously undetected strain of malware.” As of February 17, it had been detected in 29,139 macOS endpoints across 153 countries, with the bulk of infections residing in the US, the UK, Canada, France, and Germany.

At the time of publication, the malware hasn’t been used to deliver a malicious payload to victim Macs, though that could change in the future. Due to the compatibility with M1, the “relatively high infection rate” and the operational maturity of the malware, it was deemed to be a serious enough threat that is “uniquely positioned to deliver a potentially impactful payload at a moment’s notice,” prompting a public disclosure.

Two versions of the malware were discovered, with one version’s payload consisting of a binary affecting Intel-based Macs only, while the other was a binary that was compiled for both Intel and M1 architectures. The payload is seemingly a placeholder, as the first version opens a window that literally says “Hello, World!” and the second states “You did it!”

An example of the included binary [via Red Canary]

If it were malicious malware, the payload could potentially allow the same or similar payload instructions to affect both architectures from a single executable.