Sophisticated New Malware Found on 30,000 Macs Stumps Security Pros

Long-time Slashdot reader b0s0z0ku quotes *Ars Technica:

Once an hour, infected Macs check a control server to see if there are any new commands the malware should run or binaries to execute. So far, however, researchers have yet to observe delivery of any payload on any of the infected 30,000 machines, leaving the malware’s ultimate goal unknown. The lack of a final payload suggests that the malware may spring into action once an unknown condition is met.

Also curious, the malware comes with a mechanism to completely remove itself, a capability that’s typically reserved for high-stealth operations. So far, though, there are no signs the self-destruct feature has been used, raising the question why the mechanism exists. Besides those questions, the malware is notable for a version that runs natively on the M1 chip that Apple introduced in November, making it only the second known piece of macOS malware to do so…

The malware has been found in 153 countries with detections concentrated in the US, UK, Canada, France, and Germany.
Red Canary, the security firm that discovered the malware, has named it “Silver Sparrow.” Long-time Slashdot reader Nihilist_CE writes:First detected in August of 2020, the Silver Sparrow malware is interesting in several unsettling ways. It uses the macOS Installer Javascript API to launch a bash process to gain a foothold into the user’s system, a hitherto-unobserved method for bypassing malware detection. This bash shell is then used to invoke macOS’s built-in PlistBuddy tool to create a LaunchAgent which executes a bash script every hour. This is the command and control process, which downloads a JSON file containing (potentially) new instructions.

Besides the novel installation method, Silver Sparrow is also mysterious in its payload: a single, tiny binary that does nothing but open a window reading “Hello, World!” (in v1, which targets Intel Macs) or “You did it!” (in v2, which is an M1-compatible fat binary). These “bystander binaries” are never executed and appear to be proofs-of-concept or placeholders for future functionality.