News of Macs getting infected with malware is relatively uncommon. However, a new threat that has currently infected almost 30,000 Mac devices has security researchers worried due to its sophisticated nature and lack of available information.
Researchers at Red Canary have discovered a new strain of macOS malware which they have dubbed "Silver Sparrow". The malware is strange in numerous ways, with the major one being that it has remained mostly dormant so far. Despite the fact that it communicates with control servers once an hour awaiting potentially malicious binaries to execute, it has deployed no malicious payload as of yet.
Furthermore, apart from the Intel x86_64 variant, it also has an Apple M1 counterpart. Both variants also contain "bystander binaries", which when executed print "Hello World!" on the former's screen and "You did it!" on the Apple M1.
While have these messages printed on the display isn't a major concern on its own, it clearly points to a bigger issue where these placeholder binaries eventually start executing malicious payload they receive from the control servers. Red Canary highlighted that the complex infrastructure efficiently makes use of AWS and Akamai CDNs, making it very difficult to track and take down.
Another concerning fact about Silver Sparrow is that it contains self-destruct mechanisms which remove all traces of the malware from infected devices. What's even more mysterious is that this mechanism hasn't been observed by default on infected machines, which means that it was downloaded ad hoc based on meeting currently unknown conditions.
Furthermore, the distribution techniques of Silver Sparrow are unknown as well. Red Canary researchers stated that:
At the time of publishing, we’ve identified a few unknown factors related to Silver Sparrow that we either don’t have visibility into or simply enough time hasn’t passed to observe. First, we aren’t certain of the initial distribution method for the PKG files. We suspect that malicious search engine results direct victims to download the PKGs based on network connections from a victim’s browser shortly before download. In this case we can’t be certain because we don’t have the visibility to determine exactly what caused the download.
[...] In addition, the ultimate goal of this malware is a mystery. We have no way of knowing with certainty what payload would be distributed by the malware, if a payload has already been delivered and removed, or if the adversary has a future timeline for distribution. Based on data shared with us by Malwarebytes, the nearly 30,000 affected hosts have not downloaded what would be the next or final payload.
The findings of the report are reasonable cause for alarm. Much about Silver Sparrow is not known yet, and its sophisticated and stealthy nature points to a very advanced malicious actor. Red Canary has indicated that 29,139 macOS endpoints were infected as of February 17, 2021 with users spread across 153 countries. The figures of infected machines also seem to be concentrated in the US, UK, Canada, France, and Germany. The security researchers have included a list of indicators that you can use to determine whether your Mac is infected or not under the "Detection opportunities" heading near the bottom of this page.