Malware

Silver Sparrow, a new malware infects Mac systems using Apple M1 chip

Experts warn of new malware, dubbed Silver Sparrow, that is infecting Mac systems using the latest Apple M1 chip across the world.

Malware researchers at Red Canary uncovered a new malware, dubbed Silver Sparrow, that is infecting Mac systems using the latest Apple M1 chip across the world.

According to data shared by Malwarebytes, as of February 17, Silver Sparrow had already infected 29,139 macOS endpoints across 153 countries. Most of the infections were observed in Canada, France, Germany, the United Kingdom, and the United States.

“However, our investigation almost immediately revealed that this malware, whatever it was, did not exhibit the behaviors that we’ve come to expect from the usual adware that so often targets macOS systems.” reads the analysis published by RedCanary. “The novelty of this downloader arises primarily from the way it uses JavaScript for execution—something we hadn’t previously encountered in other macOS malware—and the emergence of a related binary compiled for Apple’s new M1 ARM64 architecture.”

Like the other malware recently spotted by the popular expert Patrick Wardle, Silver Sparrow is a macOS adware that was recompiled to infect systems running the Apple M1 chip.

At the time of this writing, it is not clear which is the final payload that threat actors behind the Silver Sparrow adware intend to deploy on the victim machines. Experts believe that this malware is the result of advanced and sophisticated adversaries.

Threat actors are focusing their efforts on developing threats to target the devices using the new Apple chip, Wardle pointed out that (static) analysis tools or antivirus engines face difficulties in analyzing ARM64 binaries, this is demonstrated by the fact that the detection rate for these malware is lower when compared to the Intel x86_64 version.

RedCanary experts found two versions of the Silver Sparrow adware, one designed to targets Intel-based Macs, and one that is built to infect also M1-powered systems. The malicious code outstands for the use of JavaScript for execution, which is a rarity macOS malware landscape.

The number of infected devices and the specific targets of this malware let the experts into believing that the threat actors are preparing a dangerous campaign that will involve a still unknown malicious payload.

“Though we haven’t observed Silver Sparrow delivering additional malicious payloads yet, its forward-looking M1 chip compatibility, global reach, relatively high infection rate and operational maturity suggest Silver Sparrow is a reasonably serious threat, uniquely positioned to deliver a potentially impactful payload at a moment’s notice.” continue the researchers.

At the time it is unclear how the threat actors are spreading the malware.

The command and control infrastructure is hosted on the Amazon Web Services S3 cloud platform, while callback domains for this activity cluster leveraged domains hosted through Akamai CDN.

“This implies that the adversary likely understands cloud infrastructure and its benefits over a single server or non-resilient system. Further, the adversary that likely understands this hosting choice allows them to blend in with the normal overhead of cloud infrastructure traffic. Most organizations cannot afford to block access to resources in AWS and Akamai.” continues the analysis. “The decision to use AWS infrastructure further supports our assessment that this is an operationally mature adversary.”

Silver Sparrow uses the macOS Installer JavaScript API to execute suspicious commands, this is the first instance experts have observed this behaviour in malware

“The malicious JavaScript commands, on the other hand, run using the legitimate macOS Installer process and offer very little visibility into the contents of the installation package or how that package uses the JavaScript commands.” continues the analysis.

Silver Sparrow leverages Apple’s system.run command for execution, the attacker can provide the full path to a process for execution and its arguments. Then the malware causes the installer to spawn multiple bash processes that it can then use to accomplish its objectives.

The malware uses functions appendLine, appendLinex, and appendLiney to extend the bash commands with arguments that write input to files on disk. The adware writes each of its components out line by line with JavaScript commands.

This technique allows the attackers to quickly modify the code and avoid simple static antivirus signatures by dynamically generating the script rather than using a static script file.

Upon executing Silver Sparrow it will leave two scripts on an infected disk: /tmp/agent.sh and ~/Library/Application Support/verx_updater/verx.sh.

The agent.sh script executes immediately at the end of the installation to contact the C2 and register the infection, while the verx.sh script executes periodically, using a persistent LaunchAgent to contact a remote host for more information, including other payloads to execute.

Experts pointed out that none of the infected hosts downloaded a next stage payload, experts believe that this missing piece could be used to carry out malicious activities, including data exfiltration, cryptomining, or conduct a DDoS attack.

“In addition, the ultimate goal of this malware is a mystery. We have no way of knowing with certainty what payload would be distributed by the malware, if a payload has already been delivered and removed, or if the adversary has a future timeline for distribution. Based on data shared with us by Malwarebytes, the nearly 30,000 affected hosts have not downloaded what would be the next or final payload.” concludes the report.

“Finally, the purpose of the Mach-O binary included inside the PKG files is also a mystery. Based on the data from script execution, the binary would only run if a victim intentionally sought it out and launched it. The messages we observed of “Hello, World!” or “You did it!” could indicate the threat is under development in a proof-of-concept stage or that the adversary just needed an application bundle to make the package look legitimate.”

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Avaddon ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…

4 hours ago

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

18 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

1 day ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

This website uses cookies.