M1 Macs Targeted by Additional Malware, Exact Threat Remains a Mystery

[MacRumors]

The second known piece of malware that has been compiled to run natively on M1 Macs has been discovered by security firm Red Canary.

Given the name "Silver Sparrow," the malicious package is said to leverage the macOS Installer JavaScript API to execute suspicious commands. After observing the malware for over a week, however, neither Red Canary nor its research partners observed a final payload, so the exact threat that the malware poses remains a mystery.

Nevertheless, Red Canary said the malware could be "a reasonably serious threat":

Though we haven't observed Silver Sparrow delivering additional malicious payloads yet, its forward-looking M1 chip compatibility, global reach, relatively high infection rate, and operational maturity suggest Silver Sparrow is a reasonably serious threat, uniquely positioned to deliver a potentially impactful payload at a moment's notice.

According to data provided by Malwarebytes, "Silver Sparrow" had infected 29,139 macOS systems across 153 countries as of February 17, including "high volumes of detection in the United States, the United Kingdom, Canada, France, and Germany." Red Canary did not specify how many of these systems were M1 Macs, if any.

Given that the "Silver Sparrow" binaries "don't seem to do all that much" yet, Red Canary referred to them as "bystander binaries." When executed on Intel-based Macs, the malicious package simply shows a blank window with a "Hello, World!" message, while the Apple silicon binary leads to a red window that says "You did it!"

Red Canary shared methods for detecting a wide array of macOS threats, but the steps are not specific to detecting "Silver Sparrow":

- Look for a process that appears to be PlistBuddy executing in conjunction with a command line containing the following: LaunchAgents and RunAtLoad and true. This analytic helps us find multiple macOS malware families establishing LaunchAgent persistence.
- Look for a process that appears to be sqlite3 executing in conjunction with a
command line that contains: LSQuarantine. This analytic helps us find multiple macOS malware families manipulating or searching metadata for downloaded files.
- Look for a process that appears to be curl executing in conjunction with a command line that contains: s3.amazonaws.com. This analytic helps us find multiple macOS malware families using S3 buckets for distribution.

The first piece of malware capable of running natively on M1 Macs was discovered just days ago. Technical details about this second piece of malware can be found in Red Canary's blog post, and Ars Technica has a good explainer as well.

Article Link: M1 Macs Targeted by Additional Malware, Exact Threat Remains a Mystery

 

[bsamcash]

Too lazy for the sources. How are Macs getting infected? Is it a trojan? I'm really surprised by this.

 

[CmdrLaForge]

Ok, how does this article help in avoiding the threat or detecting it. How does one get infected?

 

[Zen_Arcade]

Following good online practices seems likely to prevent malware . . . whether on an M1 or other Mac.

 

[Vol Braakzakje]

it’s Intel that tries to get people afraid to buy M1s

 

[Apple_Robert]

Ok, how does this article help in avoiding the threat or detecting it. How does one get infected?

" the adversary distributed the malware in two distinct packages: updater.pkg and update.pkg. Both versions use the same techniques to execute, differing only in the compilation of the bystander binary."

Silver Sparrow macOS malware with M1 compatibility

Silver Sparrow includes a binary compiled to run on Apple’s new M1 chips but lacks one very important feature: a payload

redcanary.com

 

[Fowl]

Too lazy for the sources. How are Macs getting infected? Is it a trojan? I'm really surprised by this.

They don't say. You need to run an installer to, well, install it. So don't download and run that "Flash Updater" or "Anti-Virus software", even if you are urged to do so by flashing Windows-style alerts.

What's new here is that installer uses a new mechanism to install the malware.

...we aren’t certain of the initial distribution method for the PKG files. We suspect that malicious search engine results direct victims to download the PKGs based on network connections from a victim’s browser shortly before download. In this case we can’t be certain because we don’t have the visibility to determine exactly what caused the download.

 

[luvbug]

Nothing more than fear mongering. These are just existing Mac malware/adware exploits that are being ported to run on ARM. So, what? What would you expect? All this crap comes from Windows/x86/PCs to begin with. And then MR gives is front page status? It's the same stuff that ALREADY EXISTS on other Macs and Windows PCs, for crying out loud! Click bait. Boo.

 

[chachawpi]

Nothing more than fear mongering. These are just existing Mac malware/adware exploits that are being ported to run on ARM. So, what? What would you expect? All this crap comes from Windows/x86/PCs to begin with. And then MR gives is front page status? It's the same stuff that ALREADY EXISTS on other Macs and Windows PCs, for crying out loud! Click bait. Boo.

If security researchers say it's a big deal, it's a big deal. Why so defensive anyway?

 

[litmag01]

Ok, how does this article help in avoiding the threat or detecting it. How does one get infected?

Great question. The article says this is due to some interesting post instal self deletion. The UUID/correct download URL broadcast is pretty interesting too. As of 02/18 the article lists the vectors as pretty much unknown with a global distribution of ~29K machines. Exhaustive country list not documented.

 

[Joniz]

If security researchers say it's a big deal, it's a big deal. Why so defensive anyway?

Except for some security researcher making a big deal about it is also self-serving.

 

[Joniz]

Nothing more than fear mongering. These are just existing Mac malware/adware exploits that are being ported to run on ARM. So, what? What would you expect? All this crap comes from Windows/x86/PCs to begin with. And then MR gives is front page status? It's the same stuff that ALREADY EXISTS on other Macs and Windows PCs, for crying out loud! Click bait. Boo.

Because it’s nice to hear that more developers are porting to Apple Silicon.

It’s a feel-good article.

 

[litmag01]

If security researchers say it's a big deal, it's a big deal. Why so defensive anyway?

Definitely. The many unknowns (delivery) and unique install method (JAVA) make this concerning. Odder still, the intel variant has been in the wild since Aug. 2020 and M1 since Dec. 2020 (pretty close to as soon as they started initial public deliveries) so this has had some circulation time.

 

[Populus]

Well, color me concerned.

Is this threat capable of infecting without our consent? (This is, allowing privileges when it tries to install itself). You know, requiring us to put the system password when required. Because otherwise, we should be safe just installing only from well known sources. Or Open Source software.

By the way thank you MacRumors (@Joe Rossignol, @arn) for letting us know about this issues. Just like on other issues like staingate and the butterflykeyboardgate, It is great that you report all this problems even if some people don’t like to hear about them.

 

[Joe Rossignol]

Ok, how does this article help in avoiding the threat or detecting it. How does one get infected?

Red Canary's post provides general advice for detecting macOS threats, but not specific to this "Silver Sparrow" malware:

• Look for a process that appears to be PlistBuddy executing in conjunction with a command line containing the following: LaunchAgents and RunAtLoad and true. This analytic helps us find multiple macOS malware families establishing LaunchAgent persistence.
• Look for a process that appears to be sqlite3 executing in conjunction with a
  command line that contains: LSQuarantine. This analytic helps us find multiple macOS malware families manipulating or searching metadata for downloaded files.
• Look for a process that appears to be curl executing in conjunction with a command line that contains: s3.amazonaws.com. This analytic helps us find multiple macOS malware families using S3 buckets for distribution.

(Updated our coverage with this info.)

 

[Wando64]

Wow, two malware threats can run natively on M1 processor.
Remind me, how many can run on Intel?

Anyway, surely this is more of an OS weakness than a processor issue, no?

EDIT: I seem to have accumulated 3 disagreements with my statement above.
I am now curious. @KeithBN @shadowbird423 and @miq how do you suggest code can be run without passing through the OS first? I accept that I can be wrong. Care to explain though?

 

[SSD-GUY]

Intel be like

 

[Machead2012]

Thank you! I will not be buying anything that says M1 or M1x for at least 2 years.

 

[Populus]

Thank you! I will not be buying anything that says M1 or M1x for at least 2 years.

Actually -and anyone who thinks I am wrong, please correct me- I think this threat is the same for Intel and M1 macs. It is compiled for both architectures.

 

[Unregistered 4U]

Definitely. The many unknowns (delivery) and unique install method (JAVA) make this concerning. Odder still, the intel variant has been in the wild since Aug. 2020 and M1 since Dec. 2020 (pretty close to as soon as they started initial public deliveries) so this has had some circulation time.

BUT, Security researchers say that a phone that is capable of sending and receiving messages is a “big deal”. And it is. It doesn’t mean that the folks need to be concerned that their cellular phone can send and receive data.

 

[Unregistered 4U]

Actually -and anyone who thinks I am wrong, please correct me- I think this threat is the same for Intel and M1 macs. It is compiled for both architectures.

Yes, this is just saying that it’s been compiled for M1. No worries unless you have a VERY VERY strong need to download and open every piece of executable code you find.

 

[buckwheet]

It seems to me the malware runs on both Intel and M1, no? So... uh... it runs on.... wait for it.... a COMPUTER.... oooooh....
I mean, I don't see anything indicating that it won't run on Intel, and printing "Hello World" is the canonical demonstration of code running.... So why do people seem to be gloating about M1 being a problem and Intel being okay???

 

[luvbug]

If security researchers say it's a big deal, it's a big deal. Why so defensive anyway?

My point is that this is NOT specific to M1. Why wasn't it reported for all Macs? Why the big M1 emphasis? This isn't just about M1 Macs. Read the article. What's more, the authors of the report admit they don't even know how many of the infected machines *are* M1s specifically. Thus my criticism that it's click bait, in that regard. I don't have a problem with Mac security issues being reported, give me a break (or don't).

 

[Fowl]

Note that the novel virus installation mechanism is in JavaScript, and is therefore architecture-independent. The payload, i.e. the installed application, was compiled for both architectures, but in the versions of the virus detected so far it's just a harmless placeholder.

 

[Apple_Robert]

Thank you! I will not be buying anything that says M1 or M1x for at least 2 years.

Why is that? Intel is at risk as well.