Macs and viruses are not all that common, but the one that was recently discovered by researchers is even less so. Security researcher Red Canary has published information about a new “activity cluster” that has infected 29,139 Macs across more than 150 countries but is missing one key ingredient: a reason to be.
In the report, Red Canary and Malwarebytes outline a new strain of macOS malware called Silver Sparrow that affects both Intel and Apple silicon processors. The companies have determined that the sheer scale of the malware is enough to pose “reasonably serious threat” even though it “did not exhibit the behaviors that we have come to expect from the usual adware that so often targets macOS systems.”
Cyber threat investigators report that the malware was installed via Apple installer packages (.pkg files) named update.pkg or updater.pkg. However, they do not know how these files were delivered to the user.
These .pkg files included JavaScript code, in such a way that the code would run at the very beginning, before the installation has really started. The user would then be asked if they want to allow a program to run “to determine if the software can be installed.” This means that, if you were to click Continue, but then think better of it and quit the installer, it would be too late. You’d already be infected.
The malicious JavaScript code installs a launch agent plist file for the current user, which is designed to launch a script named verx.sh once per hour. This script has several functions.
First, it will contact a command & control server formerly hosted on Amazon AWS. The data it gets back looked something like this at the time of analysis:
1 2 3 4 5 6 7 8 9 |
{ "version": 2, "label": "verx", "args": "upbuchupsf", "dls": 4320, "run": true, "loc": "~/Library/._insu", "downloadUrl": "" } |
Next, the malware will check for the file ~/Library/._insu. From Malwarebytes data, it appears that this is a zero-byte file, and the malware simply uses it as a marker to indicate that it should delete itself. In this case, the script does exactly that, then exits.
Finally, it will try to determine whether there is a newer version of the malware (which will always be the case if the final payload is not yet installed), and if so, it will download the payload from the URL provided in the downloadUrl parameter in the data from the command & control server.
However, as can be seen from the data, at the time of analysis, the download URL was blank. Although we know that the script will store the payload at /tmp/verx, we have yet to see any instances of this payload on any infected machines.
If the payload were actually downloaded, it would be launched with the args data as the arguments.
Separate from the files dropped by the JavaScript, the .pkg file also installs an app into the Applications folder. This app is named either “tasker” or “updater,” depending on the version of the .pkg file. Both of these apps appear to be very simplistic placeholder apps that don’t do anything interesting.
In short, it does not do anything. That is not all that reassuring, given that tens of thousands of Macs could have potentially been infected, but based on the findings and investigations of multiple strains, the virus was “positioned to deliver a potentially impactful payload at a moment’s notice.”
Apple has since revoked the developer certificates that allowed the virus to propagate and says new machines can no longer be infected. Apple's own research echoed Red Canary's findings and uncovered no evidence that the malware has delivered a malicious payload to any of the infected machines.
The Red Canary team is unclear as to how the virus spread to so many Macs, but noted that it exhibited properties that are common with malicious macOS adware.
While the virus doesn’t appear to have any malicious intent, Red Canary is warning users that the virus could have potentially been extremely harmful to the system due to its “chip compatibility, global reach, relatively high infection rate, and operational maturity.”
Silver Sparrow is not the first malware to infect Apple’s new M1 chip. Last week, security specialist Patrick Wardle reported on adware that was compiled specifically to target the new ARM chip in the MacBook Air, MacBook Pro, and Mac mini. The developer certificate associated with that malware has also been revoked by Apple.
Red Canary has a deep dive into the inner workings of Silver Sparrow on its blog post titled, “Clipping Silver Sparrow’s wings: Outing macOS malware before it takes flight.”
Red Sky Alliance has been has analyzing and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports available at https://redskyalliance.org at no charge.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com.
Reporting: https://www.redskyalliance.org/
Website: https://www.wapacklabs.com/
LinkedIn: https://www.linkedin.com/company/wapacklabs/
Twitter: https://twitter.com/wapacklabs?lang=en
Weekly Cyber Intelligence Briefings:
https://attendee.gotowebinar.com/register/8782169210544615949
TR-21-060-002_More_Mysterious_Mac_Malware.pdf
Comments