The cybersecurity firm Red Canary reports finding a mysterious and previously undetected macOS malware, dubbed “Silver Sparrow,” lurking on nearly 30,000 Macs worldwide.
Once infected, a Mac will check every hour with a command server for any additional content to download and execute. After watching the malware for over a week, cybersecurity analysts say they have yet to observe any payload delivery, leaving them stumped as to Silver Sparrow’s ultimate goal.
The lack of final payload led analysts to consider that Silver Sparrow may spring into action once an unknown condition has been met.
Adding to the mystery, Silver Sparrow contains a way to remove itself from an infected system altogether. Cybersecurity experts say this type of capability is typically reserved for sophisticated cyber-espionage operations.
Also notable, Silver Sparrow is only the second known piece of malware that has proven capable of targeting Apple’s new M1 ARM architecture Macs, which Apple released in late 2020.
The malware uses Amazon Web Services and the Akamai content delivery network to ensure the command infrastructure reliably works, which researchers say could make it difficult to disable.
So far, Silver Sparrow has been located on 29,130 macOS endpoints across 153 countries. Researchers say high volumes of detection have been made on Macs in the United States, United Kingdom, Canada, France, and Germany.
“Though we haven’t observed Silver Sparrow delivering additional malicious payloads yet, its forward-looking M1 chip compatibility, global reach, relatively high infection rate, and operational maturity suggest Silver Sparrow is a reasonably serious threat, uniquely positioned to deliver a potentially impactful payload at a moment’s notice,” says Lambert. “Given these causes for concern, in the spirit of transparency, we wanted to share everything we know with the broader infosec industry sooner rather than later.”
Anyone concerned their Mac has been infected with Silver Sparrow can check out “Indicators of Compromise” on Red Canary’s blog for more information.