According to the security company Red Canary, the ‘Silver Saprrow’ malware has infected a number of Apple Mac devices in over 150 countries around the world.
The name though relatively innocent, should not fool anyone as this new piece of macOS malware that runs on both Intel and M1-based Macs has infected many devices around the world.
But before this ‘Silver Spparow’ could spread its wings, researchers discovered it before it could potentially harm your system.
Cybersecurity company Red Canary published findings last week pertaining to this new Mac malware piece, which has been humbly named the ‘Silver Sparrow.’ The malware is outstanding as it is one of the first to include a native code for Apple’s new M1 chips.
It has garnered much interest not because of what is known about the malware but what is unknown about it!
Let us see what is actually known about the ‘Silver Sparrow.’
- Another reason why it is highly unusual is that it is only the second known piece of malware that is capable of targeting Apple’s new M1 ARM architecture Macs. Most importantly, it hasn’t done anything despite having targeted Macs located in 153 different countries; the highest volume is in the United States, the United Kingdom, France, Germany, and Canada.
- What has also caught the eye of researchers is that it has been so ‘stealth’ in its infecting of over 30,000 Macs worldwide.
- The malware is also using Amazon Web Services and Akamai for its command infrastructure. This basically means that it would be very difficult to take it down.
- The malware also has the capability to remove itself from a system, which means it could be used to deliver a command, after which it could promptly disappear.
What we know is – the malware was installed via Apple installer packages (.pkg files) named update. pkg or updater. pkg, but what remains a mystery is how these files were delivered to the user.
This is where one needs to be cautious, for if you are to click Continue, it would be too late, and the malware would already have infected the system.
In the present, every Mac infected with Silver Sparrow communicates every hour with the control server to see if there are any new commands to carry out. However, so far, no command seems to have been issued.
The researchers of Red Canary have pointed out the ultimate goal of this malware is a mystery! There is no certainty as to what payload would be distributed by the malware, or if the payload has already been delivered and removed, or if the adversary has a future timeline for distribution.
As per the reports, the 30,000 affected hosts have not downloaded what would be the next and the final payload – this is nothing less than a science fiction movie!
How to find and remove ‘Silver Sparrow’?
Mac users around the world are left wondering if the new malware has affected their systems. However, the odds are that you haven’t and may not going forward as well – Apple has promptly taken action and has suspended the developer certificates used to sign the package files that start the infection.
In simple terms, it means that Mac users will be unable to install it if they are using the Macs default security settings.
If you are concerned about your system having been infected, you need to remember what you may have done with your system lately- was a command that prompted by a website to download a software package and/or update?
Was the command something you would not have downloaded or install on your own but because a website suggested you should – that you may have?
If this may be the case, then a little concern is reasonable, though it should be noted that there is no way to know or detect if the malware is on your system as it displays no indications based on observable behavior; this is because the malware at the moment is stalled and not doing anything and chances are it may not do anything in the future as well.
However, to initiate your personal detective work – Red Canary noted the following four files that suggest that your system may indeed be infected:
· ~/Library/._insu (empty file used to signal the malware to delete itself)
· /tmp/agent.sh (shell script executed for installation callback)
· /tmp/version.json (file downloaded from from S3 to determine execution flow)
· /tmp/version.plist (version.json converted into a property list)
If you find no trace of Silver Sparrow – make sure you keep its definition updated and run regular scans.
In the meantime, the company will soon issue an update that scrubs macOS clean of the silent ‘Silver Sparrow.