Although malware targeting Apple computers running macOS are less common than malware targeting Microsoft Windows, the threat is just as serious and potentially damaging, exposing macOS users to digital surveillance and theft of information. Researchers at Red Canary discovered a serious macOS malware threat, delivering a binary payload that is compiled to be compatible with Apple’s brand-new M1 system architecture. Researchers have named the new cluster of activity “Silver Sparrow” and reports indicate that it has already infected upwards of 29,100 Apple machines across 153 countries as of February 17, 2021.
Silver Sparrow employs a well-known technique using a Launch Agent to establish persistence on macOS systems. What researchers at Red Canary have noted is that this threat uses a technique employing the macOS installer JavaScript API as the mechanism for execution moving directly from the installer phase to bash commands in a deviation from the telemetry normally observed from malware. In the past, macOS malware has been observed using pre-install or post-install scripts to achieve this behavior. The malicious JavaScript commands run using the legitimate macOS Installer process by including JavaScript commands within the package file’s Distribution definition XML file. The current binary payload that Silver Sparrow installs does not have very much capability, but instead seems poised to deliver a more dangerous payload in the future, perhaps against a targeted subset of victims or to a broad set of infected computers at a time that is most advantageous to the attackers.
Analyst Notes
It is generally thought macOS malware is limited to adware and other “minimally” invasive threats. However, several malware varieties associated with Advanced Persistent Threat (APT) groups have targeted macOS systems over the several years, and some have managed to remain under the radar of defenders for quite some time before discovery. The threat from Silver Sparrow to pivot and drop other malicious and more specially crafted payloads for execution on victim machines should not be taken lightly. While Microsoft Windows machines dominate the market share of business computers, Apple comes in second with 13% of the laptops and workstations sold worldwide, reflecting a significant and increasing portion of enterprise workstations. While there are relatively few reliable options for commercial antivirus programs on macOS, there are some EDR solutions available for small business to large enterprise, including Binary Defense’s multi-platform MDR and Microsoft Defender for Endpoint’s macOS agent. While this is a worthy mitigation strategy, there are gaps left in security relying solely on passive detection. Employing active analyst observation using a 24/7 Security Operations Center such as Binary Defense’s team and proactive solutions such as Threat Hunting greatly reduces the risk to macOS endpoints by utilizing expert researchers to hunt down and identify active threats on the network.
Sources:
https://redcanary.com/blog/clipping-silver-sparrows-wings/
https://attack.mitre.org/techniques/T1543/001/
https://developer.apple.com/documentation/installer_js/system/1812364-run
https://en.wikipedia.org/wiki/Usage_share_of_operating_systems