One of the big selling points of Macs over Windows PCs is the resistance to viruses and other malware, but a new strain of malware found on 30,000 devices is calling that into question and stumping security experts.
Cybersecurity firm Red Canary, among others, has disclosed the existence of the malware on macOS that uses a LaunchAgent to establish a presence. However, the malware was unusual in that it didn’t behave like usual adware that targets Apple systems.
Red Canary, along with Malwarebytes and VMWare Carbon Black say the malware – Silver Sparrow – has infected 29,139 macOS endpoints across 153 countries as of last week. However, Silver Sparrow has not yet delivered additional malicious payloads, Red Canary said in a blog.
Though we haven’t observed Silver Sparrow delivering additional malicious payloads yet, its forward-looking M1 chip compatibility, global reach, relatively high infection rate, and operational maturity suggest Silver Sparrow is a reasonably serious threat, uniquely positioned to deliver a potentially impactful payload at a moment’s notice. Given these causes for concern, in the spirit of transparency, we wanted to share everything we know with the broader infosec industry sooner rather than later.
The company further said there appear to be two versions of Silver Sparrow, with only one major difference.
The first version contained a Mach-O binary compiled for Intel x86_64 architecture only (updater MD5: c668003c9c5b1689ba47a431512b03cc). In the second version, the adversary included a Mach-O binary compiled for both Intel x86_64 and M1 ARM64 architectures (tasker MD5: b370191228fef82635e39a137be470af). This is significant because the M1 ARM64 architecture is young, and researchers have uncovered very few threats for the new platform.
MacRumos reported yesterday that Apple has revoked the certification of the developer accounts used to sign the packages, thus preventing additional Macs from being infected.
Read Red Canary’s blog for more information, including indicators of compromise.