The software designed for Intel and ARM Macs has a self-destruct function and regularly contacts command servers, but so far does nothing.
Security researchers have discovered new malware that has already made its home on Macs. So far, however, she has not done anything except wait for further orders. The malware called Silver Sparrow comes as an installation package on Macs and obviously has to be installed by the user first. There is both an “updater.pkg”, which is designed for Intel Macs, and an update.pkg, which delivers a program adapted for Intel and ARM Macs in the standard Mach-O binary format, such as the security company Red Canary explained.
Malware has not yet received any new commands
The program is nothing more than a “viewer”, according to the security company’s analysis . If it is opened, it either simply shows “Hello, World!” or “You did it!” at. The malware uses the installer JavaScript interface of macOS to execute shell scripts and to settle permanently on the system as a LaunchAgent. Silver Sparrow contacted a command server every hour to load and execute additional content. The tool was observed for over a week, but no payload was reloaded, which is why the target of the malware remains a mystery, according to the security researchers.
The AV tool Malwarebytes was able to detect an infection with Silver Sparrow on more than 29,000 Macs by mid-February; the malware was particularly frequently installed on Macs in the USA, Great Britain, Canada, France and Germany.
Certificate withdrawn by Apple
It is unclear how the installation package is delivered. The security researchers suspect that it is sold through various channels and disguised as legitimate Mac software that is offered for download on Macs via manipulated advertising banners or search results. Apple has apparently withdrawn the developer certificates used by the installation packages for signing.
What is unusual for malware that is so common in the wild is that it has a self-destruct routine with which it is supposed to disappear from an infected Mac without a trace. This has apparently not been ignited so far, according to the security researchers. Such techniques are otherwise more likely to use malware that is targeted against individuals.
[Update 02/22/2021 6:20 pm] The following files can be found on an infected Mac, which are considered “indicators of a compromise”, as the security researchers write:
/tmp/agent.sh
/tmp/version.json
/tmp/version.plist
~/Library/._insu
