A new strain of malware has infected Mac devices around the world, primarily in the US and parts of Europe, though experts can’t decide where it comes from or what it does.
The malicious program discovered by Red Canary security company and nicknamed “Silver Sparrow”, it has infected 29,139 macOS terminals in 153 countries, with the highest infection rates in USA, UK, France, Germany, and canada. The program is also one of the only a bunch of malware strains that are compatible with products with technology Apple’s new M1 chip.
The researchers describe “Sparrow” as a time bomb: the malware doesn’t seem to have any specific function yet. Instead, it lurks, checking in every hour with a monitoring server to see if there are any new commands it needs to run on infected devices.
“After observing the malware for over a week, neither we nor our research partners observed a final payload, leaving the ultimate goal of Silver Sparrow activity a mystery,” writes Tony Lambert of Red Canary. “We have no way of knowing for sure what payload the malware will distribute, if a payload has already been delivered and removed, or if the adversary has a future schedule for distribution.” It is also not entirely clear to researchers how the devices were infected.
Even more disturbing, “Sparrow” seems designed to be erased from a computer once it has delivered its Useful load. The program “includes a file check that removes all persistence and scripting mechanisms” that “removes all its components from the endpoint,” Lambert said. Ars Technica writes that such capabilities are typically found in “high stealth operations”, that is, intrusion campaigns that are surreptitious in nature.
Two different strains of malware has been discovered. You can take a look at a technical breakdown of the two versions and how they work below:
While the researchers are ultimately perplexed as to the reason for the malware’s existence, they said which represents a credible danger to infected systems.
“While we have not yet seen Silver Sparrow deliver additional malicious payloads, its forward-thinking M1 chip support, global reach, relatively high infection rate, and operational maturity suggest that Silver Sparrow is a reasonably serious threat, uniquely positioned to deliver potential payload impact at any time, ”said Lambert.
Apple appears to have intervened to stop the spread of the malware. The company told MacRumors It has revoked the certificates of the developer accounts used to sign the “Sparrow” related packages, which should prevent other Macs from being infected.
Still, if you are concerned that your device might be compromised, you can check out the list of indicators provided by Red Canary.