Search
Close this search box.

The mysterious malware threatening 40,000 Macs

Share:

A mysterious piece of malware that has no clear purpose has silently infected almost 40,000 Apple Mac machines across the globe, including in Australia. 

This week, security researchers revealed the existence of a new cutting-edge MacOS malware, dubbed Silver Sparrow. The malware infects both Intel and M1-based Macs – making it only the second known piece of malware to target Apple’s new M1 chip architecture. 

Silver Sparrow has infected 39,080 machines across 164 countries since August last year, with most infections located within the United States. Security firm Malwarebytes has detected 509 Silver Sparrow infections in Australia to date. 

But despite the large number of infections, security experts still have little understanding of the malware’s purpose.

It’s also unclear how Silver Sparrow initially infects victim machines. All that’s known is the malware is installed via a .pkg file, but how victim users come across that file is a mystery. 

Security experts have classified the malware as “adware”, given at least in some cases it appears to have been distributed via other types of adware.

Once Silver Sparrow successfully infects a Mac, the malware waits for commands from its operators. It checks in with the operators every hour to see if there are any new instructions on what it should do next: whether that’s to make further moves within the victim system or install new malware, as just two examples. 

These commands, however, never arrive. 

The malware also contains a kill switch: it checks for the presence of a certain file, and if the file is found, the malware will remove itself from the victim machine.  

Security experts have similarly been unable to work out what triggers this kill switch. 

“The ultimate goal of this malware is a mystery. We have no way of knowing with certainty what payload would be distributed by the malware, if a payload has already been delivered and removed, or if the adversary has a future timeline for distribution,” security firm Red Canary reported

However, Red Canary cautioned that the malware should not be considered a failed operation: the large number of infected systems combined with its ability to target M1-based machines makes Silver Sparrow a serious threat, it said. 

Additionally, the inclusion of a kill switch, the use of Amazon Web Services hosting and the Akamai content delivery network for the operator’s infrastructure, as well as the use of JavaScript to execute malicious commands suggest a somewhat sophisticated operation, security experts say. 

“Though we haven’t observed Silver Sparrow delivering additional malicious payloads yet, its forward-looking M1 chip compatibility, global reach, relatively high infection rate, and operational maturity suggest Silver Sparrow is a reasonably serious threat, uniquely positioned to deliver a potentially impactful payload at a moment’s notice,” Red Canary wrote. 

Apple has since revoked the developer certificates used to sign the adware, preventing additional Macs from being infected with the current strain. 

There are two versions of Silver Sparrow in existence at the moment. Red Canary highlighted four files and scripts you can check for to determine whether your machine has been infected: 

  • ~/Library/._insu (empty file used to signal the malware to delete itself 
  • /tmp/agent.sh (shell script executed for installation callback) 
  • /tmp/version.json (file downloaded from from S3 to determine execution flow) 
  • /tmp/version.plist (version.json converted into a property list)

Ahmed Khanji

Ahmed Khanji

Ahmed Khanji is the CEO of Gridware, a leading cybersecurity consultancy based in Sydney, Australia. An emerging thought leader in cybersecurity, Ahmed is an Adjunct Professor at Western Sydney University and regularly contributes to cybersecurity conversations in Australia. As well as his extensive background as a security advisor to large Australian Enterprises, he is a regular keynote speaker and guest lecturer on offensive cybersecurity topics and blockchain.

Contact

Sydney Offices
Level 12, Suite 6
189 Kent Street
Sydney NSW 2000
1300 211 235

Melbourne Offices
Level 13, 114 William Street
Melbourne, VIC 3000
1300 211 235

Perth Offices
Level 32, 152 St Georges Terrace
Perth WA 6000
1300 211 235

Emergency Assistance

Under Attack?

Please fill out the form and we will respond ASAP. Alternatively, click the button to call us now.
Company

Learn more about the team at the forefront of the Australian Cyber Security scene.

About Us →

Meet the Team →

Partnerships →

Learn more about the team at the forefront of the Australian Cyber Security scene.

Career Opportunities →

Internships →

Media appearances and contributions by Gridware and our staff.

See More →

Services

Services

Whether you need us to take care of security for you, respond to incidents, or provide consulting advice, we help you stay protected.

View all services →

Web App Pen. Test Calculator →

Network Pen. Test Calculator →

Governance & Audit

Legal and regulatory protection

Penetration Testing

Uncover system vulnerabilities

Remote Working & Phishing

Fortify your defenses

Cyber Security Strategy

Adaptation to evolving threats

Cloud & Infrastructure

Secure cloud computing solutions

Gridware 360

End-to-end security suite

Gridware Managed Services

Comprehensive & proactive security

Gridware CloudControl
360

Harness the benefits of cloud technology

Gridware Incident Response 24/7

Swift, expert-led incident resolution

Solutions
Resources

Resources

A collection of our published insights, whitepapers, customer success stories and more.

Customer success stories from real Gridware customers. Find out how we have helped others stay on top of their Cyber Security.

Read More →