Silver Sparrow Malware Targets Apple’s New M1 Chip

Silver Sparrow Malware Targets Apple’s New M1 Chip

Cybersecurity firm Red Canary announced earlier this month that two of its detection engineers had made an unusual discovery: “a strain of macOS malware using a LaunchAgent to establish persistence.” The malware, dubbed Silver Sparrow, was not itself unusual. What made it so, according to Red Canary, was the way it executes in JavaScript and its ability to target Apple’s new M1 architecture.

Apple announced the M1 last year as the first chip designed specifically by the company for Mac computers. It currently replaces Intel chips in Macbook laptops and Mac mini computers. Cybersecurity company Malwarebytes, which assisted Red Canary in analyzing the malware, said it was among the first to include native code for the M1 chips.

The Scope of the Problem

After analysis by Malwarebytes and others, it was determined that Silver Sparrow has so far infected nearly 40,000 Mac computers in 164 countries. High concentrations of infections occurred in the U.S., Canada, the U.K., France, and Germany. But analysts are still not sure how the malware was distributed. Malware hidden in malicious ads, pirated apps and fake Flash updaters are the most common attack vectors for Mac malware strains, according to recent reporting on Silver Sparrow by ZDNet.

Analysts are also uncertain about the purpose of the Silver Sparrow malware. Current research has shown only that it takes root in systems and then awaits further instructions from its operators. But it’s the second malware strain that can compromise Apple’s new M1 architecture. The first was discovered just days before Silver Sparrow.

The proliferation of malware that can target such a new chip architecture so quickly and across a large geographical area has researchers concerned. “Though we haven’t observed Silver Sparrow delivering additional malicious payloads yet, its forward-looking M1 chip compatibility, global reach, relatively high infection rate, and operational maturity suggests Silver Sparrow is a reasonably serious threat, uniquely positioned to deliver a potentially impactful payload at a moment’s notice,” a Red Canary analyst wrote in the company’s detection announcement.

How to Know If You're Infected

Malwarebytes has documented some details about how Silver Sparrow operates that could help Mac users know what to look for. Apple installer packages, or .pkg files, deliver the malware with file names that include update.pgk or updater.pkg. JavaScript code initially executed a program that asked users if they would allow it to determine if the software could be installed.

Silver Sparrow installs a launch agent for the current user, which in turn launches a script named verx.sh every hour to establish contact with and retrieve data from a command and control server. Researchers have not yet found any payload files being delivered by this download. In addition to the JavaScript code, the .pkg file also installs an app named “tasker” or “updater” into the Applications folder. As of now, these apps serve only as placeholders and carry out no significant actions.

Malwarebytes notes that the presence of the ._insu file on a computer likely indicates previous infection. One peculiarity about Silver Sparrow is that this file instructs the malware to delete itself. So it’s possible that the detection of the new malware compelled its operators to employ this kill command.

Protecting Your Mac

Apple provides specific recommendations for securing your Mac computer from malware infection. This includes a security screening system called Gatekeeper that prohibits app installations except through the official Mac App Store. Apple also recommends that users employ caution when dealing with scripts, web archives, and Java archives, all of which can harm your computer.

Apple also requires its app developers to submit their products for review. The process, called “notarization,” scans apps for security vulnerabilities and malicious content. If there are no threats, the app will be authorized by Gatekeeper to install and run on a Mac computer. But there are always new or emerging threats such as Silver Sparrow.

Despite the best efforts of manufacturers and users, malware can penetrate and cause harm to your Mac computer, iPad, or iPhone. Malware infections can lead to data leaks, file corruption, and data loss. Secure Data Recovery Services is an Apple Certified Macintosh Technician provider, and our data recovery engineers have performed successful recovery services on Apple devices for more than a decade.

Our data recovery engineers have custom-built solutions for data migration, restoration, and conversion regardless of what kind of media storage you’re using. Whatever data storage or data loss scenario you face, Secure Data Recovery Services has the solution.

Call us at 1-800-388-1266 to open a data recovery case or learn more about our recovery services for Mac users. You can also click here to see how our recovery process works.

;