Hackers Slipped Mysterious Malware Into Thousands of Macs But Researchers Can’t Figure Out Why

Hackers Slipped Mysterious Malware Into Thousands of Macs But Researchers Can’t Figure Out Why
Photo: Justin Sullivan, Getty Images

A new malware strain has infected Mac devices all over the world — most prominently in the U.S. and parts of Europe — though experts can’t decide where it came from or what it does.

The malicious program, discovered by security firm Red Canary and dubbed “Silver Sparrow,” has infected 29,139 macOS endpoints in 153 countries, with the largest infection rates in the U.S., the United Kingdom, France, Germany, and Canada. The program is also one of only a handful of malware strains that are compatible with products powered by Apple’s new M1 chip.

Researchers describe “Sparrow” as a ticking time bomb: the malware doesn’t appear to have any specific function yet. Instead, it lies in wait, checking in on an hourly basis with a control server to see if there are any new commands it should run on infected devices.

“After observing the malware for over a week, neither we nor our research partners observed a final payload, leaving the ultimate goal of Silver Sparrow activity a mystery,” writes Red Canary’s Tony Lambert. “We have no way of knowing with certainty what payload would be distributed by the malware, if a payload has already been delivered and removed, or if the adversary has a future timeline for distribution.” It’s also not totally clear to researchers how devices were infected.

Even more unsettling, “Sparrow” seems designed to erase itself from a computer once it has delivered its payload. The program “includes a file check that causes the removal of all persistence mechanisms and scripts” that “removes all of its components from the endpoint,” Lambert said. Ars Technica writes that such capabilities are typically found in “high stealth operations,” i.e., intrusion campaigns that are surreptitious in nature.

Two different strains of malware have been discovered. You can take a look at a technical break down of the two versions and how they function below:

Screenshot: Lucas Ropek/Red Canary Screenshot: Lucas Ropek/Red Canary

While researchers are ultimately stumped about the reason for the malware’s existence, they said that it represents a credible danger to infected systems.

“Though we haven’t observed Silver Sparrow delivering additional malicious payloads yet, its forward-looking M1 chip compatibility, global reach, relatively high infection rate, and operational maturity suggest Silver Sparrow is a reasonably serious threat, uniquely positioned to deliver a potentially impactful payload at a moment’s notice,” said Lambert.

Apple appears to have stepped in to stop the spread of the malware. The company told MacRumors that it has revoked the certificates of the developer accounts used to sign the “Sparrow”-related packages, which should stop any other Macs from being infected.

Still, if you are concerned your device may be compromised, you can check out the list of indicators provided by Red Canary.