Security Researchers from Red Canary, Malwarebytes and VMWare Carbon Black recently discovered a new malware, dubbed Silver Sparrow, that has affected around 30,000 MacOS devices in more than 150 countries including the United States, the United Kingdom, Canada, France, and Germany.
Even though Silver Sparrow has infected thousands of MacOS devices worldwide, possibly more than the numbers disclosed by security researchers, details about the distribution of the malware are still unknown.
“According to data provided by Malwarebytes, Silver Sparrow had infected 29,139 macOS endpoints across 153 countries as of February 17, including high volumes of detection in the United States, the United Kingdom, Canada, France, and Germany,” Red Canary’s Tony Lambert stated in his report published last week.
According to security researchers, the malware did not exhibit the normal behaviour that was expected out of it. Also, it’s still not clear how the malware infected MacOS devices. However, researchers believe the malware can hide inside malicious ads, pirated apps, or fake Flash updates but so far, the purpose of this malware and its final goal are yet to be uncovered.
As per available information, hackers behind Silver Sparrow are distributing the malware “in two distinct packages: updater.pkg and update.pkg. Both versions use the same techniques to execute, differing only in the compilation of the bystander binary.’
Once the Silver Sparrow malware infects a system, it waits for further commands to execute its purpose. However, no such command was executed when the researchers were investigating the malware. Red Canary however, warns that this should not be interpreted as a failed malware strain. It is possible that the malware has the ability to detect that it is being investigated.
Silver Sparrow is the second such malware strain that can run on Apple’s latest M1 chip architecture. “Though we haven’t observed Silver Sparrow delivering additional malicious payloads yet, its forward-looking M1 chip compatibility, global reach, relatively high infection rate, and operational maturity suggest Silver Sparrow is a reasonably serious threat, uniquely positioned to deliver a potentially impactful payload at a moment’s notice,” said Lambert.
“Given these causes for concern, in the spirit of transparency, we wanted to share everything we know with the broader infosec industry sooner rather than later.”
Commenting on the discovery of Silver Sparrow, David Kennefick, product architect at Edgescan said that there is a misconception around Apple devices that they are not susceptible to malware infections, which is a myth that needs to be debunked. While it certainly makes sense for malware authors to target more popular OS types with greater frequency, there have been many examples of OS X-specific malware as well.
“Mac users are advised to update their operating systems and install an antivirus. Apple devices are the same as any other piece of technology, they can be infected with malware and/or viruses. Apps should also be updated regularly to ensure that the latest, safe version is installed, to avoid these becoming the entry vector for threat actors,” he added.
This is not the first time that hackers have found ways to get inside MacOS devices and perform malicious activities in line with their broader objectives. Earlier, security experts at Kaspersky Lab discovered that cyber criminals had found a way to inject malware into MacOS devices and exfiltrate information about installed applications by using a malware-ridden EXE file which only runs on Windows platforms.
On this occasion, cyber criminals targeted Mono, a free system that lets users run Windows applications in MacOS and other operating systems. The hackers packaged the Mono framework with malware, thereby making the malware run successfully on devices running the MacOS operating system.
After installation, the malware first collects information about the infected system. Cybercriminal interest is focused on the name of the model, device IDs, processor specifications, RAM, and many other things. The malware also harvests and sends information about installed applications to its C&C server.
“Simultaneously, it downloads several more images to the infected computer with installers masked as Adobe Flash Media Player, or Little Snitch. They are in fact run-of-the-mill adware tools that pester you with banners,” the researchers said.
According to Kaspersky Lab, if macOS users need to run software on their devices that help them use Windows applications, then they must install the genuine software and not its pirated versions. At the same time, if users are downloading applications from unknown sources, they must ensure that such applications do not feature extra files that are either unnecessary or suspicious.