Become a MacRumors Supporter for $25/year with no ads, private forums, and more!

M1 Macs Targeted by Additional Malware, Exact Threat Remains a Mystery

MacRumors

macrumors bot
Original poster
Apr 12, 2001
51,488
13,129


The second known piece of malware that has been compiled to run natively on M1 Macs has been discovered by security firm Red Canary.


Given the name "Silver Sparrow," the malicious package is said to leverage the macOS Installer JavaScript API to execute suspicious commands. After observing the malware for over a week, however, neither Red Canary nor its research partners observed a final payload, so the exact threat that the malware poses remains a mystery.

Nevertheless, Red Canary said the malware could be "a reasonably serious threat":
Though we haven't observed Silver Sparrow delivering additional malicious payloads yet, its forward-looking M1 chip compatibility, global reach, relatively high infection rate, and operational maturity suggest Silver Sparrow is a reasonably serious threat, uniquely positioned to deliver a potentially impactful payload at a moment's notice.
According to data provided by Malwarebytes, "Silver Sparrow" had infected 29,139 macOS systems across 153 countries as of February 17, including "high volumes of detection in the United States, the United Kingdom, Canada, France, and Germany." Red Canary did not specify how many of these systems were M1 Macs, if any.

Given that the "Silver Sparrow" binaries "don't seem to do all that much" yet, Red Canary referred to them as "bystander binaries." When executed on Intel-based Macs, the malicious package simply shows a blank window with a "Hello, World!" message, while the Apple silicon binary leads to a red window that says "You did it!"


Red Canary shared methods for detecting a wide array of macOS threats, but the steps are not specific to detecting "Silver Sparrow":
- Look for a process that appears to be PlistBuddy executing in conjunction with a command line containing the following: LaunchAgents and RunAtLoad and true. This analytic helps us find multiple macOS malware families establishing LaunchAgent persistence.
- Look for a process that appears to be sqlite3 executing in conjunction with a
command line that contains: LSQuarantine. This analytic helps us find multiple macOS malware families manipulating or searching metadata for downloaded files.
- Look for a process that appears to be curl executing in conjunction with a command line that contains: s3.amazonaws.com. This analytic helps us find multiple macOS malware families using S3 buckets for distribution.
The first piece of malware capable of running natively on M1 Macs was discovered just days ago. Technical details about this second piece of malware can be found in Red Canary's blog post, and Ars Technica has a good explainer as well.

Article Link: M1 Macs Targeted by Additional Malware, Exact Threat Remains a Mystery
 
Last edited:

Apple_Robert

Contributor
Sep 21, 2012
22,511
26,007
In the middle of several books.
Ok, how does this article help in avoiding the threat or detecting it. How does one get infected?
" the adversary distributed the malware in two distinct packages: updater.pkg and update.pkg. Both versions use the same techniques to execute, differing only in the compilation of the bystander binary."

 
Comment

Fowl

macrumors member
Sep 28, 2018
73
59
Too lazy for the sources. How are Macs getting infected? Is it a trojan? I'm really surprised by this.
They don't say. You need to run an installer to, well, install it. So don't download and run that "Flash Updater" or "Anti-Virus software", even if you are urged to do so by flashing Windows-style alerts.

What's new here is that installer uses a new mechanism to install the malware.

...we aren’t certain of the initial distribution method for the PKG files. We suspect that malicious search engine results direct victims to download the PKGs based on network connections from a victim’s browser shortly before download. In this case we can’t be certain because we don’t have the visibility to determine exactly what caused the download.
 
Comment

luvbug

macrumors 6502a
Aug 11, 2017
529
1,436
Getting closer every day!
Nothing more than fear mongering. These are just existing Mac malware/adware exploits that are being ported to run on ARM. So, what? What would you expect? All this crap comes from Windows/x86/PCs to begin with. And then MR gives is front page status? It's the same stuff that ALREADY EXISTS on other Macs and Windows PCs, for crying out loud! Click bait. Boo.
 
Comment

chachawpi

macrumors regular
Feb 7, 2009
115
128
Nothing more than fear mongering. These are just existing Mac malware/adware exploits that are being ported to run on ARM. So, what? What would you expect? All this crap comes from Windows/x86/PCs to begin with. And then MR gives is front page status? It's the same stuff that ALREADY EXISTS on other Macs and Windows PCs, for crying out loud! Click bait. Boo.
If security researchers say it's a big deal, it's a big deal. Why so defensive anyway?
 
Comment

litmag01

macrumors 6502
Jul 16, 2009
292
125
Ok, how does this article help in avoiding the threat or detecting it. How does one get infected?
Great question. The article says this is due to some interesting post instal self deletion. The UUID/correct download URL broadcast is pretty interesting too. As of 02/18 the article lists the vectors as pretty much unknown with a global distribution of ~29K machines. Exhaustive country list not documented.
 
Comment

Joniz

macrumors 6502
Sep 21, 2017
452
1,193
Nothing more than fear mongering. These are just existing Mac malware/adware exploits that are being ported to run on ARM. So, what? What would you expect? All this crap comes from Windows/x86/PCs to begin with. And then MR gives is front page status? It's the same stuff that ALREADY EXISTS on other Macs and Windows PCs, for crying out loud! Click bait. Boo.

Because it’s nice to hear that more developers are porting to Apple Silicon.

It’s a feel-good article.
 
Comment

litmag01

macrumors 6502
Jul 16, 2009
292
125
If security researchers say it's a big deal, it's a big deal. Why so defensive anyway?
Definitely. The many unknowns (delivery) and unique install method (JAVA) make this concerning. Odder still, the intel variant has been in the wild since Aug. 2020 and M1 since Dec. 2020 (pretty close to as soon as they started initial public deliveries) so this has had some circulation time.
 
Comment

Populus

macrumors 68000
Aug 24, 2012
1,680
1,683
Valencia, Spain.
Well, color me concerned.

Is this threat capable of infecting without our consent? (This is, allowing privileges when it tries to install itself). You know, requiring us to put the system password when required. Because otherwise, we should be safe just installing only from well known sources. Or Open Source software.

By the way thank you MacRumors (@Joe Rossignol, @arn) for letting us know about this issues. Just like on other issues like staingate and the butterflykeyboardgate, It is great that you report all this problems even if some people don’t like to hear about them.
 
Comment

Joe Rossignol

Editor
Staff member
May 12, 2012
673
1,911
🇨🇦
Ok, how does this article help in avoiding the threat or detecting it. How does one get infected?

Red Canary's post provides general advice for detecting macOS threats, but not specific to this "Silver Sparrow" malware:
  • Look for a process that appears to be PlistBuddy executing in conjunction with a command line containing the following: LaunchAgents and RunAtLoad and true. This analytic helps us find multiple macOS malware families establishing LaunchAgent persistence.
  • Look for a process that appears to be sqlite3 executing in conjunction with a
    command line that contains: LSQuarantine. This analytic helps us find multiple macOS malware families manipulating or searching metadata for downloaded files.
  • Look for a process that appears to be curl executing in conjunction with a command line that contains: s3.amazonaws.com. This analytic helps us find multiple macOS malware families using S3 buckets for distribution.
(Updated our coverage with this info.)
 
Comment

Wando64

macrumors 65816
Jul 11, 2013
1,036
1,231
Wow, two malware threats can run natively on M1 processor.
Remind me, how many can run on Intel?

Anyway, surely this is more of an OS weakness than a processor issue, no?

EDIT: I seem to have accumulated 3 disagreements with my statement above.
I am now curious. @KeithBN @shadowbird423 and @miq how do you suggest code can be run without passing through the OS first? I accept that I can be wrong. Care to explain though?
 
Last edited:
Comment

Unregistered 4U

macrumors 68020
Jul 22, 2002
2,278
1,429
Definitely. The many unknowns (delivery) and unique install method (JAVA) make this concerning. Odder still, the intel variant has been in the wild since Aug. 2020 and M1 since Dec. 2020 (pretty close to as soon as they started initial public deliveries) so this has had some circulation time.
BUT, Security researchers say that a phone that is capable of sending and receiving messages is a “big deal”. And it is. It doesn’t mean that the folks need to be concerned that their cellular phone can send and receive data.
 
Comment

buckwheet

macrumors regular
Mar 30, 2014
245
241
It seems to me the malware runs on both Intel and M1, no? So... uh... it runs on.... wait for it.... a COMPUTER.... oooooh....
I mean, I don't see anything indicating that it won't run on Intel, and printing "Hello World" is the canonical demonstration of code running.... So why do people seem to be gloating about M1 being a problem and Intel being okay???
 
Comment

luvbug

macrumors 6502a
Aug 11, 2017
529
1,436
Getting closer every day!
If security researchers say it's a big deal, it's a big deal. Why so defensive anyway?
My point is that this is NOT specific to M1. Why wasn't it reported for all Macs? Why the big M1 emphasis? This isn't just about M1 Macs. Read the article. What's more, the authors of the report admit they don't even know how many of the infected machines *are* M1s specifically. Thus my criticism that it's click bait, in that regard. I don't have a problem with Mac security issues being reported, give me a break (or don't).
 
Comment

Fowl

macrumors member
Sep 28, 2018
73
59
Note that the novel virus installation mechanism is in JavaScript, and is therefore architecture-independent. The payload, i.e. the installed application, was compiled for both architectures, but in the versions of the virus detected so far it's just a harmless placeholder.
 
  • Like
Reactions: shadowbird423
Comment
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.