Hot on the heels of the release of the new Apple Silicon architecture, a new piece of malware for the Apple M1 processors was recently released. The malware has been detected on almost 37,000 Macs with no evidence yet of a harmful payload being found or determined. Security analysts have not been able thus far to determine the author or the malware’s specifics motives only so far as a proof of concept.
There are two different types of this malware. One was built primarily for the Intel-powered Macs while the other is compiled specifically for Apple's new M1 chipset. Upon discovery of the malware, Apple has retracted the certificates of the developer accounts used to sign the packages to prevent further spread.
How is the malware installed and delivered?
-
The malware is installed via Apple installer packages (.pkg files) named update.pkg or updater.pkg. However, security researchers do not know how these files were specifically delivered to the user.
-
These .pkg files included JavaScript code, in such a way that the code would run at the very beginning before the installation has started. The user would then be asked if they want to allow a program to run “to determine if the software can be installed.”
-
The malicious JavaScript code installs a launch agent plist file for the current user, which is designed to launch a script named verx.sh once per hour. This script has several functions:
-
First, it will contact a command & control server formerly hosted on Amazon AWS.
-
Next, the malware will check for the file ~/Library/._insu. It appears that this is a zero-byte file, and the malware simply uses it as a marker to indicate that it should delete itself. In this case, the script does exactly that, then exits.
-
Finally, it will try to determine whether there is a newer version of the malware (which will always be the case if the final payload is not yet installed), and if so, it will download the payload from the URL provided in the downloadUrl parameter in the data from the command & control server. However, as can be seen from the data the download URL is blank.
-
There have yet been any instances of this payload on any infected machines. If the payload were downloaded, it would be launched with the args data as the arguments.
-
-
Separate from the files dropped by the JavaScript, the .pkg file also installs an app into the Applications folder. This app is named either “tasker” or “updater,” depending on the version of the .pkg file. Both apps appear to be very simplistic placeholder apps that don’t do anything interesting.
So, if you do not have the malware infected on your machine already, you do not need to worry about getting it as Apple has disabled the propagation vector (thru signed certificates). If you have been infected or want to determine if you have been, a tool has recently been released on GitHub:
https://github.com/datto/silver-sparrow-detection-and-prevention-tool
References:
https://blog.malwarebytes.com/mac/2021/02/the-mystery-of-the-silver-sparrow-mac-malware/
https://mashable.com/article/mac-malware-detected-m1-and-intel-chip-silver-sparrow/
Related Posts
10 Things You Didn't Know You Could Do With Apple Configurator (That Save Mac Admins Hours)
1) Retro-enroll Devices into Apple Business Manager (iOS/iPadOS) If a Mac wasn’t purchased through your ABM-linked reseller, you can still claim it. Adding it via Configurator means you get Automated Device Enrollment...
The Evolution of Apple Certification: A Journey Through Versions, Challenges & Growth
A Look Back: The macOS 10.5 Era and the Early Certification Landscape Back in 2008 when I first became an Apple Certified Support Professional, the certification process was a different beast entirely....
Secure Software, Secure Career: How I Passed the CSSLP
Where the CISSP is broad, the CSSLP is laser-focused. This exam dives deep into secure software principles, threat modeling, data protection, API security, database hardening, and development methodologies like Agile, DevOps, and...
Managing Bring Your Own Device (BYOD) for Android with Microsoft Intune
BYOD For Android using Microsoft Intune Alright, so today we’re going to be talking about the management of bring your own device BYOD for Android devices. There’s a lot of information out...
BYO with me in 2025: iOS with User Enrollment in JAMF Pro
BYOD Is for Mobile Devices only right? It really depends on your companies needs. For example many companies need to hire 1099 contractors and in such a case they come with their...
Securing BYOD Email Access: Exploring Strategies in Microsoft 365
Strengthening Your BYOD Program with Secure Email Policies In today’s mobile-first world, organizations increasingly rely on Bring Your Own Device (BYOD) programs to empower employees while optimizing costs. However, this flexibility introduces...
How I Conquered the CISSP Exam: 9 Months, Top Resources, and Proven Strategies
My Study Plan 1. Set a Realistic Timeline From the outset, I knew this wasn’t a sprint—it was a marathon. I gave myself 9 months to study, breaking the material into manageable...
Get more out of scripting than you may expect
Expect is an extension to the Tcl scripting language written by Don Libes. The program automates interactions with programs that expose a text terminal interface. Expect, originally written in 1990 for the...
Cybersecurity is more than having the right tools
Cybersecurity is the convergence of people, processes and technology that come together to protect organizations.
