The second known piece of malware that was compiled to run natively on M1 Macs was discovered by security firm Red Canary.
/article-new/2021/02/m1-mac-mini-screen.jpg?resize=560%2C315&ssl=1)
Named “Silver Sparrow”, the malicious package is said to use the MacOS Installer JavaScript API to execute suspicious commands. However, after observing the malware for more than a week, neither Red Canary nor its research partners noticed a final payload, so the exact threat posed by malware remains a mystery.
However, Red Canary said the malware could be a “reasonable threat”:
Although we haven’t noticed yet that Silver Sparrow still delivers malicious payloads, future-oriented M1 chip compatibility, global coverage, relatively high infection rate, and operational maturity suggest that Silver Sparrow is a fairly serious threat, uniquely positioned to deliver a potentially impactful payload. at a time.
According to Malwarebytes, Silver Sparrow has infected 29,139 macOS systems in 153 countries since February 17, including “high detection volumes in the United States, the United Kingdom, Canada, France and Germany.” Red Canary did not specify how many of these systems were M1 Macs, if any.
Given that the good “Silver Sparrow” “doesn’t seem to do that much” yet, Red Canary referred to them as “spectator tracks.” When run on Intel-based Macs, the malicious package simply shows an empty window with a “Hello, world!” , while Apple’s silicon binary leads to a red window that says “You did it!”
/article-new/2021/02/you-did-it-silver-sparrow.png?resize=560%2C394&ssl=1)
Red Canary has shared methods for detecting a wide range of MacOS threats, but the steps are not specific to detecting the “Silver Sparrow”:
– Look for a process that appears to be running by PlistBuddy along with a command line that contains the following: LaunchAgents and RunAtLoad and true. This analysis helps us to find more families of MacOS malware by establishing the persistence of LaunchAgent.
– Look for a process that appears to be running sqlite3 along with a
command line containing: LSQarantine. This scan helps us find several families of MacOS malware that manipulate or search for metadata for downloaded files.
– Look for a process that appears to be running in curl along with a command line that contains: s3.amazonaws.com. This analysis helps us to find more families of MacOS malware using S3 cups for distribution.
The first piece of malware capable of running natively on M1 Macs was discovered a few days ago. Technical details about this second malware component can be found in the Red Canary blog post and Ars Technica it also has a good explanation.