A new strain of malware has infected Mac devices around the world – particularly in the US and parts of Europe – although experts cannot decide where it came from or what it is doing.
The malicious program, discovered by Red Canary security company and known as Silver Sparrow, infected 29,139 macOS endpoints in 153 countrieswith the highest infection rates in the USA, Great Britain, France, Germany, and Canada. The program is also one of only a hand full of malware strains compatible with products operated by Apple’s new M1 chip.
Researchers describe “Sparrow” as a ticking time bomb: the malware does not yet seem to have a specific function. Instead, it waits and checks every hour with a control server to see if any new commands should be run on infected devices.
“After observing the malware for over a week, neither we nor our research partners were observing any final payload, making the ultimate goal of the Silver Sparrow activity a mystery,” writes Red Canary’s Tony Lambert. “We cannot know for sure what payload is being distributed by the malware, whether a payload has already been delivered and removed, or whether the adversary has a future schedule for distribution.” It is also not entirely clear to the researchers how Devices have been infected.
Even more disturbing, Sparrow is designed to delete itself from a computer once it has delivered its payload. The program “includes a file checker that removes all persistence mechanisms and scripts,” which “removes all of its components from the endpoint,” Lambert said. Ars Technica writes that such capabilities are typically found in “high stealth operations”, that is, in intrusion campaigns that are clandestine in nature.
Two different strains of Malware was discovered. Below is a technical breakdown of the two versions and how they work:
While researchers are ultimately at a loss as to why the malware exists, they said that it poses a credible threat to infected systems.
“Although we haven’t seen Silver Sparrow deliver additional malicious payload, the advanced compatibility with M1 chips, global reach, relatively high infection rate, and operational readiness suggest that Silver Sparrow poses a reasonably serious threat to be found in a unique position is to have potentially effective payload impacts in the shortest amount of time, ”said Lambert.
Apple appears to have stepped in to stop the malware from spreading. The Company said MacRumors that it revoked the developer accounts’ certificates that were used to sign the “Sparrow” -related packages, which should prevent other Macs from being infected.
However, if you are concerned that your device has been compromised, this is the place to check the list of indicators provided by Red Canary.