Mysterious Macintosh Malware
This is weird:
Once an hour, infected Macs check a control server to see if there are any new commands the malware should run or binaries to execute. So far, however, researchers have yet to observe delivery of any payload on any of the infected 30,000 machines, leaving the malware’s ultimate goal unknown. The lack of a final payload suggests that the malware may spring into action once an unknown condition is met.
Also curious, the malware comes with a mechanism to completely remove itself, a capability that’s typically reserved for high-stealth operations. So far, though, there are no signs the self-destruct feature has been used, raising the question of why the mechanism exists.
Besides those questions, the malware is notable for a version that runs natively on the M1 chip that Apple introduced in November, making it only the second known piece of macOS malware to do so. The malicious binary is more mysterious still because it uses the macOS Installer JavaScript API to execute commands. That makes it hard to analyze installation package contents or the way that package uses the JavaScript commands.
The malware has been found in 153 countries with detections concentrated in the US, UK, Canada, France, and Germany. Its use of Amazon Web Services and the Akamai content delivery network ensures the command infrastructure works reliably and also makes blocking the servers harder. Researchers from Red Canary, the security firm that discovered the malware, are calling the malware Silver Sparrow.
Feels government-designed, rather than criminal or hacker.
Clive Robinson • March 2, 2021 8:31 AM
@ Bruce, ALL,
Almost certainly a level III attacker but “State or Commercial”? But I must admit the little said makes me think of those that made the likes of Duqu and Flame in particular.
It would be interesting to see if the hourly “ET Phone home to the mothership” sends any particular information, that may be used as an Intelligence Flag.
That is you launch a “Fire and Forget” equivallent of a “loader” that just reports back with basic info. However if the info is a match for “a targets MO” then and only then do you download the “full kit” of tools and only to that computer.
It’s the sort of thing you would do if you know your target practices more than basic opsec and does things like swap computers on a very regular basis as they move about in quite a large geographic area.