Malware researchers at Red Canary uncovered a new malware, dubbed Silver Sparrow, that is infecting Mac systems using the latest Apple M1 chip across the world.
According to data shared by Malwarebytes, as of February 17, Silver Sparrow had already infected 29,139 macOS endpoints across 153 countries. Most of the infections were observed in Canada, France, Germany, the United Kingdom, and the United States.
Like the other malware recently spotted by the popular expert Patrick Wardle, Silver Sparrow is a macOS adware that was recompiled to infect systems running the Apple M1 chip.
At the time of this writing, it is not clear which is the final payload that threat actors behind the Silver Sparrow adware intend to deploy on the victim machines. Experts believe that this malware is the result of advanced and sophisticated adversaries.
Threat actors are focusing their efforts on developing threats to target the devices using the new Apple chip, Wardle pointed out that (static) analysis tools or antivirus engines face difficulties in analyzing ARM64 binaries, this is demonstrated by the fact that the detection rate for these malware is lower when compared to the Intel x86_64 version.
The number of infected devices and the specific targets of this malware let the experts into believing that the threat actors are preparing a dangerous campaign that will involve a still unknown malicious payload.
“Though we haven’t observed Silver Sparrow delivering additional malicious payloads yet, its forward-looking M1 chip compatibility, global reach, relatively high infection rate and operational maturity suggest Silver Sparrow is a reasonably serious threat, uniquely positioned to deliver a potentially impactful payload at a moment’s notice.” continue the researchers.
At the time it is unclear how the threat actors are spreading the malware.
The command and control infrastructure is hosted on the Amazon Web Services S3 cloud platform, while callback domains for this activity cluster leveraged domains hosted through Akamai CDN.
“This implies that the adversary likely understands cloud infrastructure and its benefits over a single server or non-resilient system. Further, the adversary that likely understands this hosting choice allows them to blend in with the normal overhead of cloud infrastructure traffic. Most organizations cannot afford to block access to resources in AWS and Akamai.” continues the analysis. “The decision to use AWS infrastructure further supports our assessment that this is an operationally mature adversary.”
Silver Sparrow leverages Apple’s system.run command for execution, the attacker can provide the full path to a process for execution and its arguments. Then the malware causes the installer to spawn multiple bash processes that it can then use to accomplish its objectives.
This technique allows the attackers to quickly modify the code and avoid simple static antivirus signatures by dynamically generating the script rather than using a static script file.
Upon executing Silver Sparrow it will leave two scripts on an infected disk: /tmp/agent.sh and ~/Library/Application Support/verx_updater/verx.sh.
The agent.sh script executes immediately at the end of the installation to contact the C2 and register the infection, while the verx.sh script executes periodically, using a persistent LaunchAgent to contact a remote host for more information, including other payloads to execute.
Experts pointed out that none of the infected hosts downloaded a next stage payload, experts believe that this missing piece could be used to carry out malicious activities, including data exfiltration, cryptomining, or conduct a DDoS attack.
“In addition, the ultimate goal of this malware is a mystery. We have no way of knowing with certainty what payload would be distributed by the malware, if a payload has already been delivered and removed, or if the adversary has a future timeline for distribution. Based on data shared with us by Malwarebytes, the nearly 30,000 affected hosts have not downloaded what would be the next or final payload.” concludes the report.
“Finally, the purpose of the Mach-O binary included inside the PKG files is also a mystery. Based on the data from script execution, the binary would only run if a victim intentionally sought it out and launched it. The messages we observed of “Hello, World!” or “You did it!” could indicate the threat is under development in a proof-of-concept stage or that the adversary just needed an application bundle to make the package look legitimate.”
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, Avaddon ransomware)