New “Silver Sparrow” Malware is Targeting Apple M1 Macs

    Silver Sparrow

    Over the years, Apple has gained a reputation for making impeccable computers, but lately, that hasn’t been the case, including the latest ARM-powered Macs. Recently, security researchers over at Malwarebytes and Red Canary discovered a new malware that has affected around 30,000 Macs, and it’s known as the “Silver Sparrow.”

    Apple T2 Security Chip Macs

    Researchers first discovered the Silver Sparrow over at Red Canary, and they are analyzing it for over a week now. However, they are still uncertain about the damage this malware can do, but it could be a ‘reasonably serious threat.’ Simultaneously, according to the data provided by Malwarebytes “Silver Sparrow” has infected 29,139 Macs across 153 countries with a higher number of cases in the U.S., Canada, the U.K, Germany, and France.

    Silver Sparrow: Not leaving ARM-based Macs alone

    Red Canary has gone more in-depth about Silver Sparrow’s discovery and how it’s not just limited to intel-powered Macs but also infecting the latest ARM-based Macs at the same time, including the months-old M1-powered Mac mini MacBook Air and MacBook Pro. According to Red Canary, there are two types of malware, one specifically designed for the older intel-powered macOS systems. At the same time, the second one is individually built for the recently announced ARM-based M1-powered Macs.

    Silver Sparrow
    Source: Red Canary

    “We’ve found that many macOS threats are distributed through malicious advertisements as single, self-contained installers in PKG or DMG form, masquerading as a legitimate application—such as Adobe Flash Player—or as updates. In this case, however, the adversary distributed the malware in two distinct packages: updater. pkg and update. pkg. Both versions use the same techniques to execute, differing only in the compilation of the bystander binary.”

    Red Canary Blog Post Reads

    Atleast for now, Silver Sparrow seems harmless, and according to Red Canary, Silver Sparrow’s binaries “don’t seem to do all that much.” When executed,  the malicious package shows a blank window that says “Hello, World!” on the Intel-powered Macs. Whereas on the M1 powered Macs, it displays a red window with a message “You did it!”.

    Red Canary has suggested some steps to figure out if your Mac is under threat or not, but these steps are not specific for detecting Silver Sparrow.

    – Look for a process that appears to be PlistBuddy executing in conjunction with a command-line containing the following: LaunchAgents and RunAtLoad and true. This analytic helps us find multiple macOS malware families establishing LaunchAgent persistence.

    – Look for a process that appears to be sqlite3 executing in conjunction with a
    command line that contains: LSQuarantine. This analytic helps us find multiple macOS malware families manipulating or searching metadata for downloaded files.

    – Look for a process that appears to be curl executing in conjunction with a command line that contains: This analytic helps us find multiple macOS malware families using S3 buckets for distribution.

    It’s just been a few months since Apple introduced its latest lineup of ARM-powered Macs. Since then, it has been under attack by two threats, one discovered just a few days ago, and now another one attacking macOS without its true potential being known.

    But, Apple does not forget its commitment to safety as the Cupertino giant has told Mashable that it has retracted the developer accounts’ certificates to sign the packages. So, the upcoming Macs will be prevented from getting infected with Silver Sparrow.


    Leave a Reply