Apple has taken steps to eradicate mysterious malware strain

Posted:
in macOS
Following the discovery of a new and unusual malware that had the potential to attack Macs running on Apple Silicon, Apple has moved to minimize any impact the maliciously-crafted software could have in the future.




On Saturday, malware was revealed by by Red Canary researchers to use an unusual attack vector to install malware onto macOS. The cluster, named by researchers as "Silver Sparrow," was also found to be an early example of malware that had the capability of attacking Apple Silicon Macs.

More unusually, the malware seemed to be an in-development or test malware, rather than a fully-realized threat, as it lacked a malicious payload. However, it did have the capability to add such an item at a later date through repeated hourly updates.

So far, it seems that no malicious payload has been delivered at all, and it appears unlikely one will be on the way anytime soon.

Shortly after the publication of the malware details, Apple took steps to curtail the potential damage that Silver Sparrow could cause down the line.

An Apple spokesperson informed AppleInsider the company had already revoked certificates for developer accounts used by the malware's creator to sign the packages. The action effectively prevents any new Macs from being infected by the malware, reducing any further spread.

As well as certificate-revocation, Apple notes that it also employs many security hardware and software protections in its products and services, as well as deploying regular software updates that can prevent threats from having an impact.

While the Mac App Store is probably one of the safest places to acquire Mac software due to these protections, the spokesperson added software acquired outside the Mac App Store is also safeguarded. Apple's use of the Notary Service and other security mechanisms are employed to detect malware and block it before it has a chance to run, they added.

Comments

  • Reply 1 of 9
    I thought this was a macOS issue, not an Apple Silicon Macs issue? Why mention ASi Macs?

    This was a bit of malware that contained a binary compiled for BOTH Intel AND ASi Macs. That's not really a reason to doomclaim that Apple's ASi Macs are somehow more at threat than Intel ones.
    elijahghcrefugeewatto_cobra
  • Reply 2 of 9
    lkrupplkrupp Posts: 10,557member
    darkpaw said:
    I thought this was a macOS issue, not an Apple Silicon Macs issue? Why mention ASi Macs?

    This was a bit of malware that contained a binary compiled for BOTH Intel AND ASi Macs. That's not really a reason to doomclaim that Apple's ASi Macs are somehow more at threat than Intel ones.
    Yeah, it’s a universal binary malware. And you are correct. Headlines elsewhere are screaming M1! ASi Apple Silicon! Oh the humanity! Apple is doomed! We told you so!

    Apparently the technically illiterate media types assumed the M1 Macs are impervious to this and, Ha Ha Ha Ha, they’re not. Apple has failed again!.

    But this is perfectly understandable considering Apple’s constant virtue signaling regarding safety, security, privacy. When you pound you chest like Apple does you invite scrutiny and ‘gotcha’ journalism.
    elijahg
  • Reply 3 of 9
    lkrupp said:

    But this is perfectly understandable considering Apple’s constant virtue signaling regarding safety, security, privacy. When you pound you chest like Apple does you invite scrutiny and ‘gotcha’ journalism.
    That is not what "virtue signaling" is if that your standard business practice, but you do you. 
    citylightsapple
  • Reply 4 of 9
    Hopefully, Apple’s internal security researchers will figure out how to trigger the malware’s self destruct and add that function into a near future security update.
    watto_cobra
  • Reply 5 of 9
    The way articles have been bandied about made it seem like a unique vulnerability in the M1 architecture.  Now it is clear it is just an existing malware that has been compiled natively for M1.

    Obviously, the safest approach is to never download apps outside of the store and not click on clickbait.  Still no one is perfect and a lot of users fall for tricks all the time.

    I know Apple security updates eventually catch up to these types of threats, but it would be nice if they were working on ways to identifying them as they turn up or at least be able to scan for these items that do sneak in.
    watto_cobra
  • Reply 6 of 9
    mknelsonmknelson Posts: 1,145member
    Funny, this reminded me of some of the early Mac viruses like MDEF and WDEF. They could spread very easily (Desktop file to Desktop file) but didn't have a malicious payload. They just took up space, which could cause problems on you tiny floppies!

    This one seems very sophisticated. It'll be interesting if they ever find out who was behind it and what the purpose was/is.
    watto_cobra
  • Reply 7 of 9
    lkrupplkrupp Posts: 10,557member
    mknelson said:
    Funny, this reminded me of some of the early Mac viruses like MDEF and WDEF. They could spread very easily (Desktop file to Desktop file) but didn't have a malicious payload. They just took up space, which could cause problems on you tiny floppies!

    This one seems very sophisticated. It'll be interesting if they ever find out who was behind it and what the purpose was/is.
    Well, the article says Apple has revoked the developer certificates of the author so Apple might have some idea of who/what/where. So how did this bad actor get a certificate in the first place. Was someone asleep at the wheel at Apple? 
  • Reply 8 of 9
    dewmedewme Posts: 5,727member
    lkrupp said:
    mknelson said:
    Funny, this reminded me of some of the early Mac viruses like MDEF and WDEF. They could spread very easily (Desktop file to Desktop file) but didn't have a malicious payload. They just took up space, which could cause problems on you tiny floppies!

    This one seems very sophisticated. It'll be interesting if they ever find out who was behind it and what the purpose was/is.
    Well, the article says Apple has revoked the developer certificates of the author so Apple might have some idea of who/what/where. So how did this bad actor get a certificate in the first place. Was someone asleep at the wheel at Apple? 

    How exactly would Apple identify a bad actor ahead of time? Do they check a different box on their developer account :

    [    ] I am not a Bad Actor
    [ x ] I am a Bad Actor

    The whole notion of revocation is that something that was initially granted is now taken away. Until proven otherwise Apple assumes you're not guilty.

    A not uncommon scenario is that a certificate is compromised by someone other than the entity that the certificate was granted to, so not all revoked certificates are associated with the developer who was granted the certificate.
    killroystevenozroundaboutnowwatto_cobra
  • Reply 9 of 9
    MplsPMplsP Posts: 4,024member
    lkrupp said:
    darkpaw said:
    I thought this was a macOS issue, not an Apple Silicon Macs issue? Why mention ASi Macs?

    This was a bit of malware that contained a binary compiled for BOTH Intel AND ASi Macs. That's not really a reason to doomclaim that Apple's ASi Macs are somehow more at threat than Intel ones.
    Yeah, it’s a universal binary malware. And you are correct. Headlines elsewhere are screaming M1! ASi Apple Silicon! Oh the humanity! Apple is doomed! We told you so!

    Apparently the technically illiterate media types assumed the M1 Macs are impervious to this and, Ha Ha Ha Ha, they’re not. Apple has failed again!.

    But this is perfectly understandable considering Apple’s constant virtue signaling regarding safety, security, privacy. When you pound you chest like Apple does you invite scrutiny and ‘gotcha’ journalism.
    Anyone with half a technical brain knows that M1 macs are capable of running malware as much as any other computer. Hardware design can help but if legitimate software can do something then so can malware. 

    For me this is newsworthy for two reasons:
    first, a significant new malware threat is worth knowing about. Second, because it’s a new hardware platform, any malware threats coming out on the M1 are newsworthy in an of themselves. 

    The fact that hackers are developing M1-specific threats is also noteworthy. 
    muthuk_vanalingamkillroy
Sign In or Register to comment.