Several malware programs affecting Apple Silicon Mac have been discovered, but researchers have noticed that it currently lacks a malicious payload.
It seems that there may be more malware for Apple Macs based on M1 than previously thought. Following initial reports of the first M1 malware found in the wild, there appear to be several malware infections, but with a particularly toothless variety.
In early February, researchers at Red Canary discovered a variety of MacOS malware that used LaunchAgent to show its presence, as did other forms of malware. What was of interest to the researchers was that the malware behaved differently from the typical adware, due to the way it used JavaScript for execution.
The malware cluster, called “Silver Sparrow” by researchers, also involved a binary compiled to work with M1 chips. This made it malware that could target Apple’s Apple Silicon Mac.
Subsequent research by researchers at VMware Carbon Black and Malwarebytes has established that Silver Sparrow is likely to be a “previously undetected strain of malware.” As of February 17, it has been detected in 29,139 MacOS endpoints in 153 countries, with most infections residing in the United States, the United Kingdom, Canada, France and Germany.
At the time of publication, the malware was not used to provide a malicious load to the victim Macs, although this may change in the future. Due to its compatibility with M1, the “relatively high infection rate” and the operational maturity of the malware, it was considered a sufficiently serious threat, which is “uniquely positioned to provide a potentially impactful payload at some point”, which led to a public disclosure.
Two versions of the malware have been discovered, the payload of one version consisting of a binary that affects only Intel-based Macs, while the other was a binary that was compiled for both Intel and Intel architectures. M1. The payload is apparently a substitute, as the first version opens a window that literally says “Hello, world!” and the second states, “You did it!”
![An example of binary included [via Red Canary]](https://i0.wp.com/photos5.appleinsider.com/gallery/40419-77860-image3-xl.jpg?w=560&ssl=1)
If it were malicious malware, the payload could allow the same or similar instructions to affect both architectures in a single executable.
The malware mechanism worked around files called “update.pkg” and “updater.pkg”, taking the mask of installers. They take advantage of the MacOS Installer JavaScript API to execute suspicious commands.
This is a behavior that is sometimes seen with legitimate software and not malware, which usually uses pre-installation or post-installation scripts to execute the command.
Once successful, the infection tries to verify a specific URL for a downloadable file, which may contain additional instructions or a final payload. One week of malware monitoring has led to no visible final payload that could be changed in the future.
There are several unanswered questions for researchers about Silver Sparrow. These include where the original PKG files were used to infect the systems and elements of the malware code that appear to be part of a wider set of tools.
“The ultimate purpose of this malware is a mystery,” admits Red Canary. “We have no way of knowing for sure what payload would be distributed by the malware, whether a payload has already been delivered and removed, or whether the opponent has a future timeline for distribution.”
There is also the issue of including “Hello World” executables, because the binary will only run if a victim has actively searched for and executed it, rather than running it automatically. Executables suggest that it could be underdeveloped malware or that an application package would have been needed to make the malware look legitimate to other parties.