Malware usually isn’t very mysterious. Once a malicious program is on a machine, it’s typically fairly obvious what it’s trying to do, whether that’s stealing information, spreading across the network, or serving as a loader for other pieces of malware. But researchers have recently discovered a strain of malware that targets macOS--including machines running the new M1 chip--that delivers no payload and has no clear purpose. Yet.
The mysterious program, known as Silver Sparrow, first surfaced in early February when researchers at Red Canary, who were looking for macOS malware that uses the LaunchAgent mechanism for persistence. They came across a downloader that didn’t behave the way that most similar macOS malware does, and used JavaScript to run its malicious commands, something that hadn’t been seen before. Red Canary’s team found two separate packages that deliver binaries: one for just Intel x86_64 Macs, and one for both x86_64 and the new ARM-based M1 processor. Both use JavaScript and both install binaries that seem to do...nothing. Red Canary’s team termed these “bystander binaries” for their seeming uselessness.
“The bystander binaries did nothing, so right now it’s a fully mature distribution network that delivers nothing,” Tony Lambert, an intelligence analyst at Red Canary, said in an interview.
That doesn’t mean that Silver Sparrow’s loader isn’t capable of delivering a malicious payload in the future; it certainly is. However, Lambert said there is no evidence that this has happened so far, despite there being more than 29,000 machines infected with Silver Sparrow, according to data from Malwarebytes.
“It could be anything once it has that access. Your imagination is kind of the limit,” Lambert said.
How Silver Sparrow gets onto machines in the first place is another of the mysteries wrapped up in the malware. A large chunk of malicious programs--malware and other unwanted apps, such as adware--are installed through malicious links, whether on a search engine results page for from a redirect on a site. For several years, macOS has had protections in place to stop malicious apps from being installed, including a setting that allows users to prevent the installation of any app that isn’t signed. Individuals in non-managed environments can override that setting, but Lambert said there’s no real indication of how Silver Sparrow ends up on machines.
“We’re not entirely sure how the initial access happens. We’re not sure where this came from, because we have a lot of data that shows files are widespread and we don’t know how they got there. Where we see installs we see network connections that lead to web browsers,” he said.
“It’s spread across 135 countries, so it seems pretty opportunistic based on that distribution.”
The existence of a version of Silver Sparrow that runs on Macs with the new M1 chip is another curiosity. The M1 is an ARM-based system on a chip and it’s available in some of the newest generation Mac Mini and MacBook machines. Its architecture is fundamentally different from that of the Intx86el chips in older Apple hardware, making it a new challenge for software developers and malware authors alike. Both groups have accepted the challenge, as evidence by not just the Silver Sparrow infections, but also an adware strain that Mac researcher Patrick Wardle discovered last week that also targets M1-equipped machines.
The weirdness in Silver Sparrow also extends to some of its behavior after installation. The malware uses an AWS S3 bucket for command and control and includes a property that checks the bucket every hour for content to download. So far, nothing has shown up in that bucket, Lambert said. But there’s also another odd file check that will result in the malware removing itself.
“In addition to the payload mystery, Silver Sparrow includes a file check that causes the removal of all persistence mechanisms and scripts. It checks for the presence of ~/Library/._insu on disk, and, if the file is present, Silver Sparrow removes all of its components from the endpoint. Hashes reported from Malwarebytes indicated that the ._insu file was empty. The presence of this feature is also something of a mystery,” Lambert said in an analysis of the malware.
The Silver Sparrow infections are spread across 135 countries, as Lambert noted, and the United States, UK, Canada, France, and Germany all have large concentrations of infections.