Cybersecurity research uncovered a new malware for macOS, which managed to infect almost 40,000 computers over the past couple of months. The malware, named Silver Sparrow, is still a complete mystery to researchers.
Silver Sparrow was distributed via multiple installers that pretended to be an update. macOS has security features in-place to allow only binaries signed by recognized developers to run. To bypass these restrictions, all installers were signed by Developer IDs and considered trustworthy by the operating system. XProtect, the built-in antivirus software in the macOS, also did not detect the malware at the time of discovery.
LIFARS Managed Threat Hunting and Response Service (MTH&R) will help you detect adversaries and hidden malware within your infrastructure. Our experts can deploy, manage, and monitor state-of-the-art endpoint solutions to protect even against the most advanced malware.
The malware was also one of the first malicious binaries optimized for the Apple Silicon hardware. Apple Silicon uses a different ARM architecture. Therefore, optimized binaries might be harder to analyze for security software and automated analysis tools.
However, its origin and purpose are still a complete mystery. Researchers were unable to determine how were the installers initially distributed or whether certain groups were specifically targeted. They also did not detect any functional payloads. It is very likely that the operation was uncovered before attackers could deploy their final payload.
Apple responded to the malware by voiding the developer certificates, preventing future infections. It is very likely that currently infected Macs will soon get cleaned with upcoming definition update for MRT (Malware Removal Tool).
Even with swift response by Apple, Silver Sparrow is a consequence of Apple’s less-than-stellar anti-malware features in macOS. Macs are not immune to viruses and the built-in anti-malware protections tend to prioritize performance and low false positive rate over security. Users should be cautious when installing software outside of the Mac App Store.