More malware has been discovered that affects Apple Silicon Macs, but researchers have seen that at the moment it has no malicious payload.
It looks like there may be more malware targeting Apple’s M1-based Macs than previously thought. After the first reports of the first M1 malware found in nature, there appear to be more malware infections, but of a particularly toothless variety.
In early February, Red Canary researchers discovered a variety of macOS malware that used LaunchAgent to make a presence, as did some other forms of malware. What interested the researchers was that the malicious software behaved differently from typical adware, due to how it used JavaScript for execution.
The malware cluster, referred to by researchers as “Silver Sparrow,” also involved a binary compiled to work with M1 chips. This turned it into malicious software that could target Apple Mac Silicon.
Further research by VMware Carbon Black and Malwarebytes researchers determined that Silver Sparrow was likely to be a “previously undetected strain of malware.” As of Feb. 17, it had been detected at 29,139 macOS endpoints in 153 countries, most of the infections residing in the US, the UK, Canada, France and Germany.
At the time of publication, the malicious software was not used to deliver a malicious payload to the victim Macs, although this could change in the future. Due to M1 compatibility, the “relatively high infection rate,” and the operational maturity of the malware, it was considered a serious enough threat that it is “in a unique position to provide a potentially impactful payload in a previous moment “, which causes public disclosure.
Two versions of the malware were discovered, with a payload of one version consisting of a binary that affects only Intel-based Macs, while the other was a binary that was compiled for both Intel and M1 architectures. The payload is apparently a placeholder, as the first version opens a window that literally says “Hello, world!” and the second says “You did it!”
![An example of the included binary [via Red Canary]](https://i0.wp.com/photos5.appleinsider.com/gallery/40419-77860-image3-xl.jpg?w=560&ssl=1)
In the case of malware, payload could allow the same or similar payload instructions to affect both architectures of a single executable.
The malware mechanism worked around files titled “update.pkg” and “updater.pkg”, taking the form of installers. Take advantage of the MacOS Installer JavaScript API to execute suspicious commands.
This is a behavior that is sometimes seen with legitimate software and not with malicious software, which usually uses pre-installation or post-installation scripts to execute commands.
When the infection is successful, the infection tries to check a specific URL for a downloadable file, which may contain additional instructions or a final payload. A week of malware monitoring caused it not to be made available to the final visible payload, which could still change in the future.
There are multiple unanswered questions for researchers about Silver Sparrow. These include where the initial PKG files were used to infect systems and elements of malware code that appears to be part of a broader set of tools.
“The ultimate goal of this malware is a mystery,” admits Red Canary. “We have no way of knowing for sure what payload the malware would distribute, whether a payload has already been delivered and removed, or whether the adversary has a future distribution timeline.”
There is also the issue of including “Hello World” executables, as the binary will not run unless a victim actively searches for and executes it, instead of running it automatically. Executable files suggest that it could be underdeveloped malware or that an application package was needed to make the malware look legitimate to other parties.