Think Macs Don’t Get Malware? Think Again.

Researchers have discovered stealthy malware on many Macs. Dubbed Silver Sparrow, nobody knows what its purpose is. It is a riddle, wrapped in a mystery, inside an enigma.

The malware authors also created an M1 version. So no need to run the x86 build in emulation. Which is nice.

AWS Builder Community Hub

The malware is thought to be widespread: So far, 30,000 victims have been found—but that’s out of a tiny sample of the Mac installed base. In today’s SB Blogwatch, we challenge preconceptions that were never true.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: tea.

But Why?

What’s the craic? Dan Goodin reports—“New malware … has security pros stumped”:

 Once an hour, infected Macs check a [C2] server to see if there are any new commands the malware should run. … So far, however, researchers have yet to observe delivery of any payload … leaving the malware’s ultimate goal unknown.

The malware is [also] notable for a version that runs natively on the M1 chip that Apple introduced in November, making it only the second known piece of macOS malware to do so. … The malware has been found in 153 countries.

What next? Sean Hollister adds—“Cybersecurity pros are wondering what’s next”:

 There’s a popular stereotype that Apple’s computers are largely immune to malware. Not only is is that incorrect, it appears that sophisticated hacker(s) might have been toying with the idea of a heist or drop nasty enough they’d have needed to cover their tracks. [This] mysterious piece of malware [is] designed to deliver an as-yet-unknown payload, and with a self-destruction mechanism that might remove any trace that it ever existed.

Researchers warn that Apple’s transition from Intel to its own silicon may make it easy for other bad actors to slip malware through the cracks, too.

Researchers are warning whatnow? Hey, Lily Hay Newman—“Malware Is Now Targeting Apple’s New M1 Processor”:

 Longtime Mac security researcher Patrick Wardle published findings on Wednesday about a Safari adware extension that was originally written to run on Intel x86 chips, but has now been redeveloped specifically for M1. … Researchers from the security firm Red Canary [say] they are also investigating an example of native M1 malware that appears distinct from Wardle’s finding.

Malwarebytes Mac security researcher Thomas Reed [says] it’s important for security researchers to be aware that native M1 malware is not just coming, but already here. … “It definitely was inevitable—compiling for M1 can be as easy as flicking a switch.”

Who found it? Tony Lambert puns it up—“Clipping Silver Sparrow’s wings”:

 Earlier this month, Red Canary detection engineers Wes Hurd and Jason Killam came across a strain of macOS malware using a LaunchAgent to establish persistence. Nothing new there. However … the novelty of this downloader arises primarily from the way it uses JavaScript for execution … and the emergence of a related binary compiled for Apple’s new M1 ARM64 architecture.

The rest of this post [contains] a technical analysis … an explanation of intelligence gaps and blindspots, guidance on detection opportunities [and] a list of indicators that we’ve encountered.

But gnasher719’s having none of it:

 Nonsense! … It isn’t even malware! The installer does weird things that are usually associated with malware, but the software actually does nothing.

If a tree falls in the forest, but there’s nobody around to hear it, does it make a sound? Alan Woodward—@ProfWoodward—truly is a doctor of philosophy:

 This is an odd one. MacOS malware that appears to have no payload so how do you tell what it’s doing or intended to do? It looks like malware and acts like malware, so presumably it is malware.

How about something closer to home? roeboat72 offers a topical metaphor:

 It is kind of like the idea of the cold virus. It persists because it is usually so mild that humans don’t see the return on investment to try and fight it.

Having malware that doesn’t do anything yet is a good way to stay under the radar and infect a lot of machines before you actually make it do something bad. … If you have a malware that doesn’t do anything, it is much more likely to stay under the radar and be ignored, so it can spread to a lot more machines.

Or a gaming metaphor? Here’s ledow:

 You guys never played Plague Inc? You wait until you’re in any many places as possible and nobody has noticed, before you start doing any action which might give away your presence. … It’s just malware, this is exactly how malware works, and how malware is operated if the authors have half a brain.

But Macs can’t get malware! Seriously, does anyone still believe that? Actualy, yes—according to distinctively:

 I can quote “Mac’s can’t get viruses” from three separate people that I know in just the last year. Two of my children are still in university where they estimate that at least 1/3 of the Apple users there still believe it.

Meanwhile, AntisocialNetworker boils the story down to its essence:

 I read somewhere that Macs were supposed to be secure. And the MacOS installer has a JavaScript API? Sheesh, I’m sticking to Gentoo.

And Finally:

The aliens next door

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: Moritz Kindler (via Unsplash)

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 515 posts and counting.See all posts by richi