This Week In Security: Mysterious Mac Malware, An Elegant VMware RCE, And A JSON Mess

There’s a new malware strain targeting MacOS, Silver Sparrow, and it’s unusual for a couple reasons. First, it’s one of the few pieces of malware that targets the new M1 ARM64 processors. Just a reminder, that is Apple’s new in-house silicon design. It’s unusual for a second reason — it’s not doing anything. More precisely, while researchers have been watching, the command and control infrastructure didn’t provide a payload. Silver Sparrow has been positively found on nearly 30,000 machines.

The malware also has an intentional kill switch, where the presence of a particular file triggers a complete removal of the malware package. Researchers at Red Canary point out that this package behaves very much like a legitimate program, difficult to pick out as malware. Ars Technica got an off-the-record statement from Apple, indicating that they are tracking the situation, and have revoked the developer’s certificate used to sign the malware. It’s not entirely clear whether this prevents the malware running on already compromised machines, or just stops new infections.

So who’s behind Silver Sparrow? The observed stealth mode and other complexities suggest that this is more than a simple adware or ransomware campaign. Since it was discovered before the payload was delivered, we may never know what the purpose is. It may have been a government created campaign, targeting something specific.

VMware RCE

The details of a VMware vulnerability were published this week, and the attack struck me as rather elegant. CVE-2021-21972 is a combination of two problems. The first is that the VMware web interface exposes an HTTP endpoint that doesn’t enforce user authentication. One of the functions of this endpoint is to allow the upload of an archive file, and extract this in the /tmp directory. The second problem is that the extraction function didn’t properly sanitize the names of the extracted files. Hence, it was possible to create an archive with a path transversal attack.

Here we have two very simple flaws, and when put together, allow a completely unauthenticated actor to easily get arbitrary code execution on the machine running VMware. The attack works on…