The second known piece of malware compiled to run natively on M1 Macs was discovered by security company Red Canary.
/article-new/2021/02/m1-mac-mini-screen.jpg?resize=560%2C315&ssl=1)
Named “Silver Sparrow,” the malicious package is said to minimize the macOS Installer JavaScript API to execute suspicious commands. After monitoring the malware for more than a week, however, neither Red Canary nor its search partners observed a final payment burden, so the real threat posed by the malware remains. is a mystery.
However, Red Canary said the malware could be a “real threat”:
While we haven’t seen Silver Sparrow deliver additional malicious payloads yet, the forward-looking M1 chip compatibility, global reach, high infectivity level, and operational maturity show that Silver Sparrow is a reasonably large risk, in an unparalleled position for a payment obligation that can be immediately effective.
According to data provided by Malwarebytes, “Silver Sparrow” had captured 29,139 macOS systems across 153 countries as of February 17, including “high levels of detection in the United States, the United Kingdom, Canada, the France and Germany. ” Red Canary did not specify how many of these systems were M1 Macs, if any.
Since the “Silver Sparrow” binaries don’t seem to be doing everything “yet, Red Canary has referred to them as” bystander binaries. “When executed on Intel-based Macs, the malicious folder just showing a blank window with “Hello, World! “message, while Apple binary silicon leads to a red window that says” You did it! “
/article-new/2021/02/you-did-it-silver-sparrow.png?resize=560%2C394&ssl=1)
Red Canary’s shared methods for detecting a wide range of macOS threats, but the specific steps for finding “Silver Sparrow” are not:
– Look for a process that PlistBuddy seems to perform in conjunction with a command line that includes: LaunchAgents and RunAtLoad and true. This analyzer helps us to detect several macOS malware families establishing LaunchAgent survival.
– Look for a process that seems to perform sqlite3 in conjunction with a
command line containing: LSQuarantine. This analyzer helps us to detect several macOS malware families handling or find metadata for downloaded files.
– Look for a process that seems to perform curl in conjunction with a command line containing: s3.amazonaws.com. This analyzer helps us detect several macOS malware families using S3 buckets for their distribution.
The first piece of malware that was able to run natively on M1 Macs was discovered just a few days ago. Technical details about this second piece of malware can be found in the Red Canary blog post, and Ars Technica he has a good explanation too.