Mysterious Piece of Mac Malware Infected at Least 30,000 Devices Around the World


A mysterious piece of Mac malware that appears to have infected at least 30,000 devices around the world has been found by researchers at the managed detection and response firm Red Canary.

The threat was analyzed by Red Canary in collaboration with Malwarebytes, whose data showed 29,139 infected macOS systems in 153 countries as of February 17, including many in the United States, United Kingdom, Canada, France and Germany. The cluster of activities was named Silver Sparrow.

Two variants of the malware have been found by researchers, including one designed to run on devices powered by the new M1 chip from Apple, which uses the arm64 CPU architecture.

A version of the Pirrit adware is another piece of malware primarily designed for targeting computers with M1 chips and it was detailed by Apple security expert Patrick Wardle last week. In late December 2020, the sample analyzed by Wardle was uploaded to Google’s VirusTotal malware analysis service.

An actual malware file for M1 systems was submitted to VirusTotal on January 22 in the case of Silver Sparrow, but one of the domains it used was registered on December 5. The earliest known version of the malware was apparently produced sometime in August 2020, one intended to attack pre-M1 systems.

Silver Sparrow is also interesting because its installer packages use the macOS Installer JavaScript API to execute commands, in addition to being designed to target computers with M1 chips. Red Canary says this seems to be the first piece of malware that does this, but malicious macOS software usually uses preinstall or postinstall scripts for command execution, which is not unusual for legitimate software to do this.

Interestingly, researchers have not seen any payload being provided by the Silver Sparrow malware despite infecting a large number of computers, leaving the targets of the threat actor vague, but they consider it to be a “operationally mature adversary.”

The malware was delivered as PKG files, but the initial method of distribution is unknown at the moment.

We believe the malicious search engine results in direct victims from a victim’s browser shortly before uploading to retrieve the PKGs based on network connections. We can’t be certain in this case because we don’t have the visibility to determine exactly what caused the download, explained researchers from Red Canary.

Though Silver Sparrow does not currently have a payload, Red Canary claims it is “uniquely positioned at a moment’s notice to deliver a potentially impactful payload.”

Red Canary has made available compromise indicators (IoC) and other technical details that can be helpful to defenders and hunting teams for threats.

Melina Richardson
Melina Richardson is a Cyber Security Enthusiast, Security Blogger, Technical Editor, Certified Ethical Hacker, Author at Cybers Guards. Previously, he worked as a security news reporter.