Security analysts from Red Canary came across a previously undetected “activity cluster” that infected 29,139 Macs across more than 153 countries, with high volumes of compromises in the United States, the United Kingdom, Canada, France, and Germany.
While malware designed to target macOS-based devices is nothing new, this new activity cluster, tracked as Silver Sparrow, is a baffling mystery for the researchers due to its unusual properties.
Specifically, the researchers have found two versions of the Silver Sparrow malware, with the first variant containing a Mach-O binary compiled for Intel x86_64 architecture only and the second version containing a Mach-O binary compiled for both Intel x86_64 and Apple M1 ARM64 architectures. Red Canary refers to these binaries as “bystander binaries,” because, so far, either version did not appear to do much of anything.
The malware was delivered in the form of two different files named 'updater.pkg' or 'update.pkg'. Both versions use the same techniques to execute, differing only in the compilation of the “bystander binary”.
For now, Silver Sparrow’s real purpose remains unknown, as the researchers have not observed the malware delivering any malicious payloads yet.
“In order of appearance, the first novel and noteworthy thing about Silver Sparrow is that its installer packages leverage the macOS Installer JavaScript API to execute suspicious commands. While we’ve observed legitimate software doing this, this is the first instance we’ve observed it in malware. This is a deviation from behavior we usually observe in malicious macOS installers, which generally use preinstall or postinstall scripts to execute commands,” Red Canary noted in its blog post.
Using JavaScript, SilverSparrow will create shell scripts executed by the malware to communicate with the command and control servers and create LaunchAgent Plist XML files to execute shell scripts periodically. Every hour, the persistence LaunchAgent tells launchd to execute a shell script that downloads a JSON file to disk, converts it into a plist, and uses its properties to determine further actions.
“In addition to the payload mystery, Silver Sparrow includes a file check that causes the removal of all persistence mechanisms and scripts. It checks for the presence of ~/Library/._insu on disk, and, if the file is present, Silver Sparrow removes all of its components from the endpoint,” the report said.
Apple has revoked the developer certificates that allowed the malware to propagate and, according to the macOS maker, new machines can no longer be infected.