Gone are the days when Apple devices were considered the safest option. The evolution in technology has not only fueled innovation but has also contributed to the growth of methods that enable easy hacking. And this evolution has become pertinent with over 30000 Apple Macs getting infected by the Silver Sparrow Malware.
Silver Sparrow is being perceived as a malware program, though the exact nature remains unclear. There are two versions that target MacOS, the one on Intel-based Macs and the other on the M1-based Macs.
They also said that they do not have an idea about how it spreads but have collected some important information like that of its infrastructure which is hosted on Amazon Web Services S3. Some callback domains were being hosted on Akami’s CDN platform and they think it might be sophisticated.
“This implies that the adversary likely understands that the hosting choice allows them to blend in with the normal overhead of cloud infrastructure traffic. A majority of companies cannot afford to block access to resources in AWS and Akamai. Using AWS infrastructure supports our assessment that this is an operationally mature adversary,” they further said.
The malware has become of serious concern as it runs on Apple’s latest M1 chips. However, that doesn’t necessarily mean that only M1 macs are being targeted, the Intel-ones can also be at equal risk of infection.
Silver Sparrows makes use of the “system.run” command for execution. Using the same an attacker can provide the full path to a process for execution and the arguments as well. The malware then forces the installer to generate multiple bash processes to achieve the main objective.
This enables hackers to quickly modify the code and avoid simple static antivirus signatures by generating a dynamic script rather than using the static one.
Upon execution it leaves back two scripts on the infected disk, namely “/tmp/agent.sh” and “~/Library/Application Support/verx_updater/verx.sh.” The former executes immediately at the end of the installation and contacts the C2 to register the infection, while the latter executes periodically by using a persistent Launch Agent to contact a remote host for information on payloads to execute.
The moment Silver Sparrow was reported Apple overrode the developer certificates which enable the malware to be installed. This blocked the malware from making any more installations.
Apple Mac users remain safe from malware attacks as any software downloaded from outside the Mac App Store is required to be notarized. However, in this case, Silver Sparrow writers were able to obtain a developer certificate and get through the notarization sequence without being blocked.
It still remains a mystery as to what the end version of this malware will do. Researchers are still guessing if it has already been delivered or removed, or if it has a future timeline for distribution.
If you know about any latest progress that we missed out on, make sure to inform us through your comments.