A new malware discovered on some 30,000 Macs — both Intel and Apple’s M1 variety — has researchers stumped.
Malware is a relatively rare thing in the Mac community. For decades, the Mac enjoyed “security through obscurity,” meaning that its low market share made it a low-priority target for most hackers. In addition, macOS is based on UNIX, giving it relatively secure underpinnings. Apple has also taken a number of major steps to further harden macOS, all of which make it a very secure operating system (OS).
Nonetheless, researchers at Red Canary have discovered two variants of a macOS malware they have dubbed “Silver Sparrow.” According to the researchers, the only real difference between the two variants is that one targets Intel-based Macs exclusively, while the second is a universal binary, meaning it is compiled to run on Intel and M1-based Macs.
The latter is especially significant, since Apple’s custom M1 chip is based on Arm designs, and is essentially a desktop-class version of the chip used in the iPhone and iPad. As of the time of writing, Silver Sparrow has infected some 29,139 Macs in 153 countries. High numbers of infected machines were found in the US, UK, Canada, France and Germany.
What’s even more suspicious, however, is there doesn’t appear to be a payload in the malware. A payload is the final goal the malware is programmed with, such as locking files for ransom, deleting files, stealing information, etc. With Silver Sparrow, researchers have yet to find its payload. They know the malware checks every hour to see what new content its creators want it to download but, as of yet, no payload has been downloaded by the infected machines.
“After observing the malware for over a week, neither we nor our research partners observed a final payload, leaving the ultimate goal of Silver Sparrow activity a mystery,” writes Red Canary’s Tony Lambert.
Red Canary also found the malware was “distributed through malicious advertisements as single, self-contained installers in PKG or DMG form, masquerading as a legitimate application—such as Adobe Flash Player—or as updates,” adds Lambert. “In this case, however, the adversary distributed the malware in two distinct packages: updater.pkg and update.pkg.”
It remains to be seen what the ultimate goal of Silver Sparrow’s creators is. In the meantime, macOS users should update their antivirus software and check out Red Canary’s blog for detection and mitigation information.