Security researchers at Red Canary recently discovered that Macs featuring Apple’s custom M1 chips are subject to a new strain of malware dubbed Silver Sparrow. Working in conjunction with researchers from Malwarebytes and VMWare Carbon Black, the researchers have disclosed surprising details about this particular strain including data from Malwarebytes that nearly 30,000 Macs have been affected worldwide. Investigations are still ongoing, and it is not yet known how the threat actors are spreading the malware. Nor is it clear what the final payload is that threat actors behind the malware intend to deploy on the victim machines.
So what’s the significance of this new finding? The researchers have found two versions of the Silver Sparrow malware. One designed to target Intel x86-based systems, and one that is built to infect M1-powered systems. While Macs have been targets for adware and malware for some time, until recently, Macs have used Intel x86-based chips exclusively. This new strain demonstrates that an M1 chip won’t necessarily protect you from malware traditionally targeting x86 processors as Silver Sparrow has been compiled specifically to run on Apple M1 & ARM64-based chips.
As noted above, Red Canary says they have not yet observed Silver Sparrow delivering malicious payloads. It has been observed, however, that the malware, once installed, is listening for commands or updates. Apple is stepping in to help address the situation as they have revoked the developer certificates used by the malware to help prevent any future infections. Given the global reach of Macs, though, the malware does represent a significant threat.
Additional research shows that the command and control infrastructure behind Silver Sparrow is hosted on the Amazon Web Services S3 cloud platform, while callback domains for this activity cluster leveraged domains hosted through the Akamai CDN. The Armis platform can help you quickly identify if Silver Sparrow is present in your environment. By using the Armis Standard Query (ASQ) tool, you can easily identify infected devices along with activities indicative of infection such as DNS activity illustrating that the malware is present in your environment.
Armis can then be utilized to provide remediation steps including the quarantine of infected devices including blocking at the firewall, switch or WLC.
For more information and to see a full demonstration of Armis, please visit www.armis.com/demo.
Sign up to receive the latest news