Details of a new malware designed to target Macs, called Silver Sparrow, has already infected close on 30,000 separate machines. The malware was discovered by researchers from Red Canary who subsequently analyzed the malware along with Malwarebytes and VMWare Carbon Black. In a subsequent report published by Red Canary, it was found that the malware can target Apple’s heralded M1 chips. This would make Silver Sparrow the second such capable malware to have been discovered recently. A lot of mystery still surrounds the malware as while capable of infecting a wide array of Mac devices it lacks one crucial element, a payload.
Malwarebytes was able to provide an accurate breakdown of the malware's impact. By February 17, 2021, Silver Sparrow had infected 29,139 macOS endpoints across 153 countries. High volumes of detections had been found in the United States, the United Kingdom, Canada, France, and Germany. Despite the high number of infections how the malware is distributed is not known. Similarly, how the malware infects machines is also not known. Typically, malware that targets Macs are often distributed via malicious ads, fake app downloads, pirated software, or the infamous fake Flash update. However, as for Silver Sparrow, these details are currently unknown.
The Silver Sparrow mystery continues in that researchers do not know what the final goal of the malware is. Once a computer is infected with the malware it will wait for instructions from the attacker. While researchers were analyzing the malware no such instructions came.
Researchers warned that Silver Sparrow should not be seen as a failed piece of malware as the malware’s developers may have been aware their creation was under increased scrutiny and decided not to release the second stage payloads, those responsible for more malicious behavior. Given the number of infections, researchers pointed out that the malware does pose a significant risk and should not be seen as a hacker’s experiment. Researchers noted,
“At the time of publishing, we’ve identified a few unknown factors related to Silver Sparrow that we either don’t have visibility into or simply enough time hasn’t passed to observe. First, we aren’t certain of the initial distribution method for the PKG files. We suspect that malicious search engine results direct victims to download the PKGs based on network connections from a victim’s browser shortly before download. In this case we can’t be certain because we don’t have the visibility to determine exactly what caused the download…In addition, the ultimate goal of this malware is a mystery. We have no way of knowing with certainty what payload would be distributed by the malware, if a payload has already been delivered and removed, or if the adversary has a future timeline for distribution. Based on data shared with us by Malwarebytes, the nearly 30,000 affected hosts have not downloaded what would be the next or final payload.”
The threat posed by Silver Sparrow is highlighted by the malware’s ability to target M1 chips. The chip was designed by Apple for use in its Mac products and has been described by the company as a “system on a chip” in part due to the increased graphics processing ability built-in, rather than needing a separate GPU card for the same purpose. Further, security aspects were also built into the chip. The security features of the new chip can be found in the chips security enclave that manages the Touch ID and storage controller feature sets. The security enclave also adds AES-256 encryption to SSD functions for improved security. However, recent malware discoveries have placed some doubt on whether the touted security improvements were all they were meant to be.
In the case of Silver Sparrow, while no final payload has been delivered researchers discovered that the malware can run on the M1’s architecture. Silver Sparrow is the second piece of malware detected that can target M1 chips. Commenting on this Tony Lambert of Red Canary notes,
“Though we haven’t observed Silver Sparrow delivering additional malicious payloads yet, its forward-looking M1 chip compatibility, global reach, relatively high infection rate, and operational maturity suggest Silver Sparrow is a reasonably serious threat, uniquely positioned to deliver a potentially impactful payload at a moment’s notice. Given these causes for concern, in the spirit of transparency, we wanted to share everything we know with the broader infosec industry sooner rather than later.”
Apple’s transition to M1 chips with ARM-based architecture resulted in software developers having to develop or modify apps so that they were compatible with the new technology. While software developers were busy it would seem so to were malware developers. On February 14, Patrick Wardle for Objective-See published an article detailing possibly the first instance of malware compatible with M1 chips. The malware is not new but has been ported to run on the M1 architecture. The malware, GoSearch22, is malicious adware, that is a variant of the previously seen Pirrit adware, the code has been modified to run on M1 architecture.
It is important to note that malware developed for Intel’s x86 architecture can run on an M1 chip, but not natively. This is possible with the help of a dynamic binary translator called Rosetta. Running natively without the use of Rosetta has some benefits including efficiency improvements but also the increased likelihood of staying under the radar without attracting any unwanted attention.
Looking at the malware, GoSearch22 adware disguises itself as a Safari browser extension. The disguise once revealed shows the malware collects browsing data and serves many ads such as banners and popups, including some that link to dubious websites to distribute additional malware. Its predecessor, Pirrit, was first discovered in 2016 and can be described as a persistent Mac adware family notorious for pushing intrusive and deceptive advertisements to users that, when clicked, downloads and installs unwanted apps that come with information gathering features.
Wardle notes that the extension was signed with an Apple Developer ID "hongsheng_yan" in November to further conceal its malicious content, but it has since been revoked, meaning the application will no longer run on macOS unless attackers re-sign it with another certificate. Wardle further summarises why this new development is troubling, stating,
“The creation of such applications is notable for two main reasons. First, (and unsurprisingly), this illustrates that malicious code continues to evolve in direct response to both hardware and software changes coming out of Cupertino. There is a myriad of benefits to natively distributing native arm64 binaries, so why would malware authors resist? Secondly, and more worrisomely, (static) analysis tools or anti-virus engines may struggle with arm64 binaries.”