Two novel strains of malware that run natively on Apple’s M1 processor have been discovered. Silver Sparrow remains a mystery with no determined payload.
There has long been a myth perpetuating the internet that MacOS doesn’t get viruses. Some people even believe they can’t get a virus. The reality is that neither of those things is true. For many years, there weren’t many viruses created for MacOS simply because they weren’t as widely used as other PCs. The ability to create those viruses has always existed, but it was never lucrative for threat actors. Today it’s very different, though. Two separate forms of malware designed to run natively on Apple’s M1 processor were discovered within a week of each other this month: GoSearch22 and Silver Sparrow.
The first piece of malware was discovered by security researcher Pat Wardle on February 14. It is a piece of adware malware that is part of the Pirrit family, its malicious extension GoSearch22 had its certificate revoked by Apple. That action means that this version of GoSearch22 won’t run on macOS anymore. At least, not unless they sign it with another developer key.
The second piece of malware was discovered by research firm Red Canary, which named the malware Silver Sparrow. It was reported on February 17, a mere three days after the discovery of GoSearch22. There is something different about this one, though. From the Red Canary blog post:
“Earlier this month, Red Canary detection engineers Wes Hurd and Jason Killam came across a strain of macOS malware using a LaunchAgent to establish persistence. Nothing new there. However, our investigation almost immediately revealed that this malware, whatever it was, did not exhibit the behaviors that we’ve come to expect from the usual adware that so often targets macOS systems. The novelty of this downloader arises primarily from the way it uses JavaScript for execution—something we hadn’t previously encountered in other macOS malware—and the emergence of a related binary compiled for Apple’s new M1 ARM64 architecture.”
There’s more that’s different, too. First, researchers have yet to determine how this malware has infected almost 30,000 macOS endpoints. Second, there doesn’t seem to be a payload. Once an hour the infected Macs check a control server to see if there are any new commands to be run or executed. Third, it comes equipped with the ability to remove itself.
This malware presents a number of problems. Experts are stumped because they don’t know what it does. Malware isn’t designed for no reason, so what is the purpose here? Is it waiting for some specific set of criteria to be met, at which time it will unleash its wrath? Is it a scout program designed to measure how systems respond, length of time to detection and other factors which make it easier to hide? And how did it get there in the first place?
The assumption is that this is some type of adware similar, yet obviously distinct, to the first strain of malware found. The theories around what it does range from nothing to a plethora of damage depending on who you ask. Silver Sparrow has been found in 153 countries as of February 17, including the US, UK, Canada, France and Germany. Such a widespread area is also cause for concern, especially with more consumers and businesses turning to Apple for an alternative to other OS which regularly have complex and intricate versions of malware that are stingy and frustrating. But the more users turn to Apple, the more threat actors will develop strains of malware that run on macOS.
It is incredibly important for anyone who uses a Mac, whether it be for personal or business, to see if their machine is infected. You can visit the Red Canary post to see the full details on how to see if your machine is infected and to learn how to remove the malware. We highly recommend doing this. Even if no one knows what the malware does, it’s pretty safe to assume it’s not going to do anything good.
Malware and other cybersecurity threats are not going anywhere, no matter which OS you use. There are strains for every OS being used, and this is a prime example. The M1 processor was released just last year and already there are two strains of malware that run natively on it. And it’s designed for Mac, which makes up a fraction of the machines in use today. Play it safe and be proactive, hunt that malware down now and eradicate it from your system before it actually does something bad. Apple revoked Silver Sparrow’s certificate so it can no longer spread, so fix the problem now and get ahead of the threat actors.