New Apple macOS malware codenamed ‘Silver Sparrow’ merely infects and stays dormant: Security researchers has also discovered yet-unused self-destruct mechanism

Apple Silver Sparrow Malware
Apple M1 chipset macOS has mysterious Silver Sparrow malware. Pic credit: Michael Geiger/Pixabay

New malware is infecting Apple Inc. MacBook and Mac PCs running macOS. Strangely, the actively spreading macOS malware, codenamed ‘Silver Sparrow’, primarily targets the new Apple M1 SoC that runs on ARM CPUs.

Security researchers have discovered yet another malware that specifically targets the new Apple M1-based MacBook and Mac PCs running macOS. Incidentally, the malware doesn’t have a payload, yet.

Second malware infecting Apple M1 chipset powering macOS discovered:

New malware is actively spreading across the globe. The malicious string of code that security researchers have labeled Silver Sparrow, infects Apple macOS.

But more specifically, the new malware goes after Apple PCs that have the latest Apple M1 chipset. So far, security researchers have estimated almost 30,000 infections, and the number is gradually climbing.

Besides the fact that yet another malware targeting Apple M1 SoC has come up so quickly, there are a couple of more grave concerns about Silver Sparrow.

Once installed, Silver Sparrow searches for the URL the installer package was downloaded from. This is most likely a method to check the most effective or successful delivery or distribution channel. The URL check suggests that malicious search results may be at least one distribution channel, in which case, the installers would likely pose as legitimate apps.

Once the malware silently infects an Apple M1-based macOS machine, it pings a control server every hour. According to researchers, the malware tries to check if there are any new commands it should run or binaries to execute. So far, however, researchers have yet to observe the delivery of any payload on any of the infected devices.

What this means is that the Silver Sparrow malware does not have a payload yet. In other words, the malware merely infects a machine and then does nothing, except for periodically checking for new instructions.

Strangely, the malware also has a self-destruct mechanism. Simply put, the creators of Silver Sparrow have embedded a mechanism to completely remove the malware. However, even this system remains unused, yet.

How does the Silver Sparrow malware install and evades detection?

Researchers from Red Canary discovered the Silver Sparrow and named it. The malicious binary uses the macOS Installer JavaScript API to execute commands. Hence researchers are having a hard time trying to analyze installation package contents or the way that the package uses the JavaScript commands.

According to the researchers, the malware uses Amazon Web Services and the Akamai content delivery network. Blocking such networks is quite difficult.

Researchers at VMware Carbon Black and Malwarebytes claim Silver Sparrow is a “previously undetected strain of malware.” The majority of Apple macOS running Macs with the new Apple M1 chipset are from the US, the UK, Canada, France, and Germany.

Researchers have also discovered two strains of the Silver Sparrow malware. One version’s payload consists of a binary affecting Intel-based Macs only, while the other was a binary is meant for both Intel and M1 architectures.

The current payload is a placeholder. When executed, the first version opens a window that literally says “Hello, World!” and the second states “You did it!”

Incidentally, Apple has revoked the developer certificate for both bystander binary files. However, that doesn’t eliminate the potential security risks that the new ARM-based Apple M1 chipset faces.

Notify of
1 Comment
Newest Most Voted
Inline Feedbacks
View all comments
Meta Skeptic
Meta Skeptic
1 year ago

None of the articles I have found have explained in any detail how and when the virus (or if that what it actually is) gets into the user’s M1 machine—such as before it gets to the buyer—or if the machine is penetrated during setup, user installing reputable software, email attachments, clicking on Google, or the Duck, using whatever browser, not to mention carelessness.

These concerns aren’t mentioned so far as I have run across. Obviously I must be way behind the curve on this, but I am clearly as skeptical as can be. So when I got mine a few weeks ago, I haven’t used it other than upgrading Creative Cloud, Pixelmator, and Capture One. My mid-2010 machine was starting to gag a bit on my film scanning files. Sad.

Here’s my $.02: what hacker is not going to want to take up the challenge

The M1 boots faster than my mid-2010, though I will say that with it’s SSD, it was darn good until the latest CC update. Oh, and I do like Capture One and Pixelmator.

Thanks for reading this. I hope the question merits a reply.

Would love your thoughts, please comment.x