Silver Sparrow, a new malware infects Mac systems using Apple M1 chip

Pierluigi Paganini February 20, 2021

Experts warn of new malware, dubbed Silver Sparrow, that is infecting Mac systems using the latest Apple M1 chip across the world.

Malware researchers at Red Canary uncovered a new malware, dubbed Silver Sparrow, that is infecting Mac systems using the latest Apple M1 chip across the world.

According to data shared by Malwarebytes, as of February 17, Silver Sparrow had already infected 29,139 macOS endpoints across 153 countries. Most of the infections were observed in Canada, France, Germany, the United Kingdom, and the United States.

“However, our investigation almost immediately revealed that this malware, whatever it was, did not exhibit the behaviors that we’ve come to expect from the usual adware that so often targets macOS systems.” reads the analysis published by RedCanary. “The novelty of this downloader arises primarily from the way it uses JavaScript for execution—something we hadn’t previously encountered in other macOS malware—and the emergence of a related binary compiled for Apple’s new M1 ARM64 architecture.”

Like the other malware recently spotted by the popular expert Patrick Wardle, Silver Sparrow is a macOS adware that was recompiled to infect systems running the Apple M1 chip.

At the time of this writing, it is not clear which is the final payload that threat actors behind the Silver Sparrow adware intend to deploy on the victim machines. Experts believe that this malware is the result of advanced and sophisticated adversaries.

Threat actors are focusing their efforts on developing threats to target the devices using the new Apple chip, Wardle pointed out that (static) analysis tools or antivirus engines face difficulties in analyzing ARM64 binaries, this is demonstrated by the fact that the detection rate for these malware is lower when compared to the Intel x86_64 version.

RedCanary experts found two versions of the Silver Sparrow adware, one designed to targets Intel-based Macs, and one that is built to infect also M1-powered systems. The malicious code outstands for the use of JavaScript for execution, which is a rarity macOS malware landscape.

Silver Sparrow

The number of infected devices and the specific targets of this malware let the experts into believing that the threat actors are preparing a dangerous campaign that will involve a still unknown malicious payload.

“Though we haven’t observed Silver Sparrow delivering additional malicious payloads yet, its forward-looking M1 chip compatibility, global reach, relatively high infection rate and operational maturity suggest Silver Sparrow is a reasonably serious threat, uniquely positioned to deliver a potentially impactful payload at a moment’s notice.” continue the researchers.

At the time it is unclear how the threat actors are spreading the malware.

The command and control infrastructure is hosted on the Amazon Web Services S3 cloud platform, while callback domains for this activity cluster leveraged domains hosted through Akamai CDN.

“This implies that the adversary likely understands cloud infrastructure and its benefits over a single server or non-resilient system. Further, the adversary that likely understands this hosting choice allows them to blend in with the normal overhead of cloud infrastructure traffic. Most organizations cannot afford to block access to resources in AWS and Akamai.” continues the analysis. “The decision to use AWS infrastructure further supports our assessment that this is an operationally mature adversary.”

Silver Sparrow uses the macOS Installer JavaScript API to execute suspicious commands, this is the first instance experts have observed this behaviour in malware

“The malicious JavaScript commands, on the other hand, run using the legitimate macOS Installer process and offer very little visibility into the contents of the installation package or how that package uses the JavaScript commands.” continues the analysis.

Silver Sparrow leverages Apple’s system.run command for execution, the attacker can provide the full path to a process for execution and its arguments. Then the malware causes the installer to spawn multiple bash processes that it can then use to accomplish its objectives.

The malware uses functions appendLine, appendLinex, and appendLiney to extend the bash commands with arguments that write input to files on disk. The adware writes each of its components out line by line with JavaScript commands.

This technique allows the attackers to quickly modify the code and avoid simple static antivirus signatures by dynamically generating the script rather than using a static script file.

Upon executing Silver Sparrow it will leave two scripts on an infected disk: /tmp/agent.sh and ~/Library/Application Support/verx_updater/verx.sh.

The agent.sh script executes immediately at the end of the installation to contact the C2 and register the infection, while the verx.sh script executes periodically, using a persistent LaunchAgent to contact a remote host for more information, including other payloads to execute.

Experts pointed out that none of the infected hosts downloaded a next stage payload, experts believe that this missing piece could be used to carry out malicious activities, including data exfiltration, cryptomining, or conduct a DDoS attack.

“In addition, the ultimate goal of this malware is a mystery. We have no way of knowing with certainty what payload would be distributed by the malware, if a payload has already been delivered and removed, or if the adversary has a future timeline for distribution. Based on data shared with us by Malwarebytes, the nearly 30,000 affected hosts have not downloaded what would be the next or final payload.” concludes the report.

“Finally, the purpose of the Mach-O binary included inside the PKG files is also a mystery. Based on the data from script execution, the binary would only run if a victim intentionally sought it out and launched it. The messages we observed of “Hello, World!” or “You did it!” could indicate the threat is under development in a proof-of-concept stage or that the adversary just needed an application bundle to make the package look legitimate.”

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Avaddon ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment