Mysterious malware infecting Apple Silicon Macs has no payload, yet

More malware has been discovered affecting Apple Silicon Macs, but researchers have found that it lacks a malicious payload at the moment.

It appears that there may be more malware targeting Apple’s M1-based Macs than previously thought. Following initial reports of the first M1 malware found in the wild, it appears that there are more malware infections, but of a particularly toothless variety.

In early February, Red Canary researchers discovered a macOS malware strain that LaunchAgent used to make its presence known, just like other forms of malware. What was of interest to the researchers was that the malware behaved differently from typical adware, due to how it used JavaScript to execute.

The malware group, named by the researchers as “Silver Sparrow”, also involved a binary compiled to work with M1 chips. This turned it into a malware that could potentially target Apple Silicon Macs.

Further investigation by researchers at VMware Carbon Black and Malwarebytes determined that Silver Sparrow was likely a “previously undetected strain of malware.” As of February 17, it had been detected on 29,139 macOS endpoints in 153 countries, with the majority of infections residing in the US, UK, Canada, France, and Germany.

At press time, the malware has not been used to deliver a malicious payload to victim Macs, although that could change in the future. Due to the compatibility with M1, the “relatively high infection rate” and the operational maturity of the malware, it was considered to be a threat serious enough that it is “in a unique position to offer a potentially impactful payload at any time”, prompting a public disclosure.

Two versions of the malware were discovered, with the payload of one version consisting of a binary that only affected Intel-based Macs, while the other was a binary that was compiled for both Intel and M1 architectures. The payload is apparently a placeholder, as the first version opens a window that literally says “Hello world!” and the second says “You did it!”

An example of the included binary [via Red Canary]

If it were malicious malware, the payload could allow the same or similar payload instructions to affect both architectures from a single executable.

The malware mechanism worked with files titled “update.pkg” and “Updater.pkg”, taking the appearance of installers. They take advantage of the macOS installer JavaScript API to execute suspicious commands.

This is behavior that is sometimes seen with legitimate software and not with malware, which generally uses pre-installation or post-installation scripts for command execution.

Once successful, the infection attempts to verify a specific URL for a downloadable file, which could contain further instructions or a final payload. A week of malware monitoring resulted in a final visible payload not being available, which could still change in the future.

There are many unanswered questions to researchers about Silver Sparrow. These include where the initial PKG files were used to infect systems and pieces of malware code that appear to be part of a larger set of tools.

“The ultimate goal of this malware is a mystery,” admits Red Canary. “We have no way of knowing for sure what payload the malware will distribute, if a payload has already been delivered and removed, or if the adversary has a future timeline for distribution.”

There is also the issue of including “Hello World” executables, as the binary will not run unless a victim actively searches for it and runs it, rather than running automatically. The executables suggest that this could be malware in development, or that an application bundle was needed to make the malware appear legitimate to other parties.


Source link