Although malware targeting Apple computers running macOS are less common than malware targeting Microsoft Windows, the threat is just as serious and potentially damaging, exposing macOS users to digital surveillance and theft of information. Researchers at Red Canary discovered a serious macOS malware threat, delivering a binary payload that is compiled to be compatible with Apple’s brand-new M1 system architecture. Researchers have named the new cluster of activity “Silver Sparrow” and reports indicate that it has already infected upwards of 29,100 Apple machines across 153 countries as of February 17, 2021.
Silver Sparrow employs a well-known technique using a Launch Agent to establish persistence on macOS systems. What researchers at Red Canary have noted is that this threat uses a technique employing the macOS installer JavaScript API as the mechanism for execution moving directly from the installer phase to bash commands in a deviation from the telemetry normally observed from malware. In the past, macOS malware has been observed using pre-install or post-install scripts to achieve this behavior. The malicious JavaScript commands run using the legitimate macOS Installer process by including JavaScript commands within the package file’s Distribution definition XML file. The current binary payload that Silver Sparrow installs does not have very much capability, but instead seems poised to deliver a more dangerous payload in the future, perhaps against a targeted subset of victims or to a broad set of infected computers at a time that is most advantageous to the attackers.