The cybersecurity firm Red Canary reports finding a mysterious and previously undetected macOS malware, dubbed “Silver Sparrow,” lurking on nearly 30,000 Macs worldwide.
First reported by Ars Technica, the malware has so far stumped security professionals. No one has been able to figure out precisely what Silver Sparrow does or what purpose its self-destruct capability serves. “This malware, whatever it was, did not exhibit the behaviors that we’ve come to expect from the usual adware that so often targets macOS systems. The novelty of this downloader arises primarily from the way it uses JavaScript for execution—something we hadn’t previously encountered in other macOS malware,” said Red Canary’s Tony Lambert in a blog post.
Once infected, a Mac will check every hour with a command server for any additional content to download and execute. After watching the malware for over a week, cybersecurity analysts say they have yet to observe any payload delivery, leaving them stumped as to Silver Sparrow’s ultimate goal.
The lack of final payload led analysts to consider that Silver Sparrow may spring into action once an unknown condition has been met.
Adding to the mystery, Silver Sparrow contains a way to remove itself from an infected system altogether. Cybersecurity experts say this type of capability is typically reserved for sophisticated cyber-espionage operations.
Researchers at Red Canary say most macOS threats masquerade as a legitimate application – such as Adobe Flash Player – and are distributed as malicious advertisements, with single self-contained installers in PKG or DMG form. Silver Sparrow, however, uses installer packages that leverage the macOS Installer JavaScript API to execute commands. “While we’ve observed legitimate software doing this, this is the first instance we’ve observed it in malware,” said Lambert.
Also notable, Silver Sparrow is only the second known piece of malware that has proven capable of targeting Apple’s new M1 ARM architecture Macs, which Apple released in late 2020.
The malware uses Amazon Web Services and the Akamai content delivery network to ensure the command infrastructure reliably works, which researchers say could make it difficult to disable.
So far, Silver Sparrow has been located on 29,130 macOS endpoints across 153 countries. Researchers say high volumes of detection have been made on Macs in the United States, United Kingdom, Canada, France, and Germany.
“Though we haven’t observed Silver Sparrow delivering additional malicious payloads yet, its forward-looking M1 chip compatibility, global reach, relatively high infection rate, and operational maturity suggest Silver Sparrow is a reasonably serious threat, uniquely positioned to deliver a potentially impactful payload at a moment’s notice,” says Lambert. “Given these causes for concern, in the spirit of transparency, we wanted to share everything we know with the broader infosec industry sooner rather than later.”
Anyone concerned their Mac has been infected with Silver Sparrow can check out “Indicators of Compromise” on Red Canary’s blog for more information.