- Get link
- X
- Other Apps
A new malware has infected 30,000 Macs worldwide and security researchers worldwide are still researching on what goal it serves when it self destructs and its general purpose. Over 153 countries have been infected with more cases in the United States, United Kingdom, Canada, France and Germany. It uses the Akamai content delivery network and the Amazon Web Services so its internal structure of command works smoothly while making it difficult to block these servers. This malware is called the Silver Sparrow, named by researchers in a security firm called the Red Canary.
The Macs that are infected with the malware check its server to see if there are new commands to run but so far, there haven’t been anything yet, leaving its goal unknown. This means that it may fulfill its purpose once it’s fulfilled a hidden condition. As mentioned before, this malware can self-destruct which means it can completely remove itself from the Mac. This mechanism is usually reserved for high-stealth operations but there’s still no found reason as for why it has this.
This is the second malware that runs on the M1 chip that was just recently released back in November. It also uses the macOS Installer JavaScript API for executive commands. This makes it more difficult to check the contents of the installation package of how it uses JavaScript commands.
The researchers in Red Canary noted that while it isn’t dangerous yet, due to its compatibility with the M1 chip, having reached globally and having the capacity to deal damage to its computers at any time, it is still a serious threat. Red Canary has chosen to reveal this information due to this concern.
This malware comes with two versions, one compiled for Intel x86_64 processors and one for the M1. The one compiled for the Intel x85_64 format a binary in mach-object format, display “Hello World” when executed while the Mach-O binary for the M1 displays “You did it!” The researchers named them as bystander binaries. The words that display when the malware is executed is suspected to be a placeholder so that the malware can spread content outside its Javascript execution.
Silver Sparrow comes in two versions—one with a binary in mach-object format compiled for Intel x86_64 processors and the other Mach-O binary for the M1. The image below offers a high-level overview of the two versions:
So far, researchers haven’t seen either binary do much of anything, prompting the researchers to refer to them as “bystander binaries.” Curiously, when executed, the x86_64 binary displays the words “Hello World!” while the M1 binary reads “You did it!” The researchers suspect the files are placeholders to give the installer something to distribute content outside the JavaScript execution. Apple has revoked the developer certificate for both bystander binary files.
The Silver Sparrow runs solely on Apple’s M1 chip. M1 code runs faster and more reliable on the M1 than the x86_64 since it doesn’t have to be translated before being executed. Developers of macOS applications still haven’t finished recompiling their code for the M1 which suggests that the developers of the malware are ahead of the curve for the current developers of the macOS.
When the malware, Silver Sparrow, is installed, it searches for the URL where the package was downloaded from which can let them know which distribution channels are the most successful in spreading the malware. In that sense, it’s similar to other macOs adware. While this is known, it is still unclear where it is being distributed and how. This URL check means that it may have more than one distribution channel.
After finding the malware, Apple revoked the developer certificates. This was a comment by an Apple spokesperson. Apple noted that there’s no malicious payload, a code to be executed, being sent by the malware. The company also said that it provides hardware, software protections and software updates where the Mac App Store is the safest place to get software for Mac.
Patrick Wardle, a security expert of the macOS wrote in an Internet message that it was likely that the infected computers were higher since there’s only so much the MalwareBytes can see. 29, 139 macOS computers have been infected as of Wednesday, this info was founded by the Red Canary researchers working hand in hand with researchers at MalwareBytes. This shows that macOS malware is getting more and more prevalent even with the best efforts of Apple.
If you want to check if your Mac has a Silver Sparrow malware, check if your computer has the following files:
~/Library/._insu
/tmp/agent.sh
/tmp/version.json
/tmp/version.plist
Comments
Post a Comment