30,000 Apple Macs Infected With ‘Silver Sparrow’ Malware

Apple computers are at the centre of a rare malware alert, with nearly 30,000 Macs reportedly infected with a mysterious piece of code.

This is the warning from ‘detection engineers’ Wes Hurd and Jason Killam at Red Canary. Earlier this month they had come across “a strain of macOS malware using a LaunchAgent to establish persistence.”

Malware on Macs is less common than infections of Windows-based PCs, but it does happen. In 2019 for example Trend Micro warned of a malware variant that made use of legitimate share-trading software to invade Mac users’ systems.

Silver Sparrow

Last week security researcher Patrick Wardle warned that malware is now being redesigned in order to target Mac computers running Apple’s M1 processor.

And this seems to be the case, after Red Canary this week called this latest malware discovery on Macs “Silver Sparrow.”

What is puzzling is that the researchers said that it is not what the goal of the Silver Sparrow malware is, as it has not delivered “malicious payloads” — essentially, harmful actions against a device.

“However, our investigation almost immediately revealed that this malware, whatever it was, did not exhibit the behaviours that we’ve come to expect from the usual adware that so often targets macOS systems,” blogged Red Canary.

Yet it is clear Silver Sparrow is malware, as it contains a self-destruct mechanism that appears to have not been used.

It is also not clear at this stage what would trigger that self-destruct function, and it is also unclear how the malware found its way onto the infected Macs, but they speculated it may have been through malicious search results.

The researchers found that Silver Sparrow contains code that runs natively on Apple’s in-house M1 chip that was released in November, making only the second known malware to do so.

“According to data provided by Malwarebytes, Silver Sparrow had infected 29,139 macOS endpoints across 153 countries as of February 17, including high volumes of detection in the United States, the United Kingdom, Canada, France, and Germany,” wrote Red Canary.

Unknown goal

“Though we haven’t observed Silver Sparrow delivering additional malicious payloads yet, its forward-looking M1 chip compatibility, global reach, relatively high infection rate, and operational maturity suggest Silver Sparrow is a reasonably serious threat, uniquely positioned to deliver a potentially impactful payload at a moment’s notice,” it added.

“Given these causes for concern, in the spirit of transparency, we wanted to share everything we know with the broader infosec industry sooner rather than later,” the firm wrote.

Apple has reportedly revoked the developer certificates used by the malware, in an effort to prevent any future infections.

Revoking the developer certificates also creates barriers for any existing malware infections to be able to take additional actions, it is being reported.