Update on February 23: Apple reached out to Laptop Mag on Feb. 22 to release a statement on Red Canary's Silver Sparrow findings, assuring us all that its taking action against malicious actors. The company has revoked the certificates of the developer accounts used to sign the packages, preventing new machines from being infected. Apple wants to remind users that, as the research states, there is no evidence to suggest the discovered malware delivered a malicious payload to infected users.
--
[Originally published on Feb. 22]: As we reported last week, independent security researcher Patrick Wardle discovered the first malware software to target the M1 chipset. Now, there's another one. It's been dubbed "Silver Sparrow" — and this one is dangerous.
Silver Sparrow is swooping in on M1 MacBooks
Silver Sparrow, malware created to be compatible with M1-equipped laptops, was discovered by cybersecurity firm Red Canary. Researchers are baffled and dumbfounded by the new malware strain, which infected 29,139 macOS devices across 153 countries as of Feb. 17, according to Malwarebytes data. Investigators found the highest volumes of Silver Sparrow in the U.S., the U.K., Canada, France and Germany.
So why are researchers mystified by Silver Sparrow? Well, they're uncertain of its motive and intent. "After observing the malware for over a week, neither we nor our research partners observed a final payload, leaving the ultimate goal of Silver Sparrow activity a mystery," Tony Lambert, Red Canary's intelligence analyst, said.
So far, what researchers do know is that Silver Sparrow is set to check a remote control server once an hour to download a payload (a command the malware runs to execute its infection scheme). Due to no payloads being delivered, experts are befuddled by Silver Sparrow's goal. Researchers suspect that Silver Sparrow is waiting for specific conditions to be met before it "wakes up" and wreaks havoc inside MacBooks around the world.
"Though we haven’t observed Silver Sparrow delivering additional malicious payloads yet, its forward-looking M1 chip compatibility, global reach, relatively high infection rate, and operational maturity suggest Silver Sparrow is a reasonably serious threat, uniquely positioned to deliver a potentially impactful payload at a moment’s notice," Lambert said.
Silver Sparrow uses macOS' Installer JavaScript API to execute commands, which frustrates researchers because it offers very little visibility into the contents of the installation package and how it uses JavaScript commands. The malware also uses Amazon Web Services (AWS) and Akamai for distribution, which Red Canary experts admit is a smart choice because most institutions can't afford to block access to resources in AWS and Akamai.
Interestingly, Silver Sparrow has a self-destruct capability, which means the malware can remove itself from a laptop if it's directed to do so.
Silver Sparrow sounds like a sleeping beast and the hacker may be waiting for the right moment to strike. Unfortunately, Red Canary's researchers have not yet offered guidance on how to remove the malicious software.
