The second known malware that has been compiled to run natively on Mac M1 has been discovered by security firm Red Canary.
/article-new/2021/02/m1-mac-mini-screen.jpg?resize=560%2C315&ssl=1)
Named “Silver Sparrow,” the malicious package is said to use the MacOS Installer JavaScript API to execute suspicious commands. After observing the malware for more than a week, however, neither Red Canary nor its research partners observed a final payload, so the exact threat posed by malware remains a mystery.
However, Red Canary said the malware could be “a reasonably serious threat”:
Although we have not yet observed that Silver Sparrow provides additional malicious payloads, its compatibility with future M1 chips, global reach, relatively high infection rate, and operational maturity suggest that Silver Sparrow is a reasonably serious threat. , with a unique position to provide a potentially impactful payload at a time.
According to data provided by Malwarebytes, “Silver Sparrow” had infected 29,139 macOS systems in 153 countries as of Feb. 17, including “high detection volumes in the United States, the United Kingdom, Canada, France, and Germany.” Red Canary did not specify how many of these systems were Mac M1s, if any.
Given that the “Silver Sparrow” binaries still don’t seem to do as much, ”Red Canary referred to them as“ spectator binaries. ”When running on Intel-based Macs, the malicious package simply displays a window. blank with a “Hello, world!” while Apple’s silicon binary leads to a red window that says “You did it!”
/article-new/2021/02/you-did-it-silver-sparrow.png?resize=560%2C394&ssl=1)
Red Canary shared methods for detecting a wide range of macOS threats, but the steps are not specific to detecting “Silver Sparrow”:
– Find a process that looks like PlistBuddy is running in conjunction with a command line that contains the following: LaunchAgents and RunAtLoad and true. This analysis helps us find several families of macOS malware that establish the persistence of LaunchAgent.
– Look for a process that appears to be running in sqlite3 along with a
command line containing: LSQuarantine. This scan helps us find several families of macOS malware that manipulate or search for downloaded file metadata.
– Look for a process that seems to run in the form of a curl along with a command line that contains: s3.amazonaws.com. This analysis helps us find several families of macOS malware that use S3 compartments for distribution.
A few days ago the first malicious program capable of running natively on Macs M1 was discovered. You can find technical details about this second malware in the Red Canary blog post and Ars Technica it also has a good explainer.