The first native malware aimed at the M1 platform was found by well-known Mac security expert Patrick Wardle recently.
But despite ascertaining that Silver Sparrow was present on 29,139 machines in 153 countries — including big numbers in the US, the UK, Canada, France and Germany — the Red Canary duo said they were yet to observe the delivery of any malicious payloads.
Hurd and Killam said they had found two versions of the malware: one which was only an Intel x86_64 binary, while the second contained binaries both x86_64 and the M1 ARM64 platform; all files were in the PKG format.
The duo detailed the make-up and operation of the malware in their brief but there were many grey areas to which they admitted.
"...we aren’t certain of the initial distribution method for the PKG files," they said. "We suspect that malicious search engine results direct victims to download the PKGs based on network connections from a victim’s browser shortly before download. In this case, we can’t be certain because we don’t have the visibility to determine exactly what caused the download.
"Next, we don’t know the circumstances under which ~/Library/._insu appears. This file may be part of a toolset the adversary wishes to avoid; it may be part of the malware’s life cycle itself as a way of removing components after an objective has been met.
"In addition, the ultimate goal of this malware is a mystery. We have no way of knowing with certainty what payload would be distributed by the malware, if a payload has already been delivered and removed, or if the adversary has a future timeline for distribution.
"Based on data shared with us by Malwarebytes, the nearly 30,000 affected hosts have not downloaded what would be the next or final payload."
Silver Sparrow uses AWS S3 as a host while callback for the cluster leverages domains hosted through the Akamai content delivery network, meaning that it has chosen extremely reliable infrastructure.