The mysterious malware threatening 40,000 Macs

Share:

Share on facebook
Share on twitter
Share on linkedin

A mysterious piece of malware that has no clear purpose has silently infected almost 40,000 Apple Mac machines across the globe, including in Australia. 

This week, security researchers revealed the existence of a new cutting-edge MacOS malware, dubbed Silver Sparrow. The malware infects both Intel and M1-based Macs – making it only the second known piece of malware to target Apple’s new M1 chip architecture. 

Silver Sparrow has infected 39,080 machines across 164 countries since August last year, with most infections located within the United States. Security firm Malwarebytes has detected 509 Silver Sparrow infections in Australia to date. 

But despite the large number of infections, security experts still have little understanding of the malware’s purpose.

It’s also unclear how Silver Sparrow initially infects victim machines. All that’s known is the malware is installed via a .pkg file, but how victim users come across that file is a mystery. 

Security experts have classified the malware as “adware”, given at least in some cases it appears to have been distributed via other types of adware.

Once Silver Sparrow successfully infects a Mac, the malware waits for commands from its operators. It checks in with the operators every hour to see if there are any new instructions on what it should do next: whether that’s to make further moves within the victim system or install new malware, as just two examples. 

These commands, however, never arrive. 

The malware also contains a kill switch: it checks for the presence of a certain file, and if the file is found, the malware will remove itself from the victim machine.  

Security experts have similarly been unable to work out what triggers this kill switch. 

“The ultimate goal of this malware is a mystery. We have no way of knowing with certainty what payload would be distributed by the malware, if a payload has already been delivered and removed, or if the adversary has a future timeline for distribution,” security firm Red Canary reported

However, Red Canary cautioned that the malware should not be considered a failed operation: the large number of infected systems combined with its ability to target M1-based machines makes Silver Sparrow a serious threat, it said. 

Additionally, the inclusion of a kill switch, the use of Amazon Web Services hosting and the Akamai content delivery network for the operator’s infrastructure, as well as the use of JavaScript to execute malicious commands suggest a somewhat sophisticated operation, security experts say. 

“Though we haven’t observed Silver Sparrow delivering additional malicious payloads yet, its forward-looking M1 chip compatibility, global reach, relatively high infection rate, and operational maturity suggest Silver Sparrow is a reasonably serious threat, uniquely positioned to deliver a potentially impactful payload at a moment’s notice,” Red Canary wrote. 

Apple has since revoked the developer certificates used to sign the adware, preventing additional Macs from being infected with the current strain. 

There are two versions of Silver Sparrow in existence at the moment. Red Canary highlighted four files and scripts you can check for to determine whether your machine has been infected: 

  • ~/Library/._insu (empty file used to signal the malware to delete itself 
  • /tmp/agent.sh (shell script executed for installation callback) 
  • /tmp/version.json (file downloaded from from S3 to determine execution flow) 
  • /tmp/version.plist (version.json converted into a property list)

Ahmed Khanji

Ahmed Khanji

Ahmed Khanji is the CEO of Gridware, a leading cybersecurity consultancy based in Sydney, Australia. An emerging thought leader in cybersecurity, Ahmed is an Adjunct Professor at Western Sydney University and regularly contributes to cybersecurity conversations in Australia. As well as his extensive background as a security advisor to large Australian enterprises, he is a regular keynote speaker and guest lecturer on offensive cybersecurity topics and blockchain.

Emergency Assistance

Under Attack?

Please fill out the form and we will respond ASAP. Alternatively, click the button to call us now.