M1 Macs and Silver Sparrow Malware
Hot on the heels of the release of the new Apple Silicon architecture, a new piece of malware for the Apple M1 processors was recently released. The malware has been detected on almost 37,000 Macs with no evidence yet of a harmful payload being found or determined. Security analysts have not been able thus far to determine the author or the malware’s specifics motives only so far as a proof of concept.
There are two different types of this malware. One was built primarily for the Intel-powered Macs while the other is compiled specifically for Apple's new M1 chipset. Upon discovery of the malware, Apple has retracted the certificates of the developer accounts used to sign the packages to prevent further spread.
How is the malware installed and delivered?
-
The malware is installed via Apple installer packages (.pkg files) named update.pkg or updater.pkg. However, security researchers do not know how these files were specifically delivered to the user.
-
These .pkg files included JavaScript code, in such a way that the code would run at the very beginning before the installation has started. The user would then be asked if they want to allow a program to run “to determine if the software can be installed.”
-
The malicious JavaScript code installs a launch agent plist file for the current user, which is designed to launch a script named verx.sh once per hour. This script has several functions:
-
First, it will contact a command & control server formerly hosted on Amazon AWS.
-
Next, the malware will check for the file ~/Library/._insu. It appears that this is a zero-byte file, and the malware simply uses it as a marker to indicate that it should delete itself. In this case, the script does exactly that, then exits.
-
Finally, it will try to determine whether there is a newer version of the malware (which will always be the case if the final payload is not yet installed), and if so, it will download the payload from the URL provided in the downloadUrl parameter in the data from the command & control server. However, as can be seen from the data the download URL is blank.
-
There have yet been any instances of this payload on any infected machines. If the payload were downloaded, it would be launched with the args data as the arguments.
-
-
Separate from the files dropped by the JavaScript, the .pkg file also installs an app into the Applications folder. This app is named either “tasker” or “updater,” depending on the version of the .pkg file. Both apps appear to be very simplistic placeholder apps that don’t do anything interesting.
So, if you do not have the malware infected on your machine already, you do not need to worry about getting it as Apple has disabled the propagation vector (thru signed certificates). If you have been infected or want to determine if you have been, a tool has recently been released on GitHub:
https://github.com/datto/silver-sparrow-detection-and-prevention-tool
References:
https://blog.malwarebytes.com/mac/2021/02/the-mystery-of-the-silver-sparrow-mac-malware/
https://mashable.com/article/mac-malware-detected-m1-and-intel-chip-silver-sparrow/
https://redcanary.com/blog/clipping-silver-sparrows-wings/