M1 Macs Targeted by Additional Malware, Exact Threat Remains a Mystery

by

The second known piece of malware that has been compiled to run natively on M1 Macs has been discovered by security firm Red Canary.

m1 mac mini screen
Given the name "Silver Sparrow," the malicious package is said to leverage the macOS Installer JavaScript API to execute suspicious commands. After observing the malware for over a week, however, neither Red Canary nor its research partners observed a final payload, so the exact threat that the malware poses remains a mystery.

Nevertheless, Red Canary said the malware could be "a reasonably serious threat":

Though we haven't observed Silver Sparrow delivering additional malicious payloads yet, its forward-looking M1 chip compatibility, global reach, relatively high infection rate, and operational maturity suggest Silver Sparrow is a reasonably serious threat, uniquely positioned to deliver a potentially impactful payload at a moment's notice.

According to data provided by Malwarebytes, "Silver Sparrow" had infected 29,139 macOS systems across 153 countries as of February 17, including "high volumes of detection in the United States, the United Kingdom, Canada, France, and Germany." Red Canary did not specify how many of these systems were M1 Macs, if any.

Given that the "Silver Sparrow" binaries "don't seem to do all that much" yet, Red Canary referred to them as "bystander binaries." When executed on Intel-based Macs, the malicious package simply shows a blank window with a "Hello, World!" message, while the Apple silicon binary leads to a red window that says "You did it!"

you did it silver sparrow
Red Canary shared methods for detecting a wide array of macOS threats, but the steps are not specific to detecting "Silver Sparrow":

- Look for a process that appears to be PlistBuddy executing in conjunction with a command line containing the following: LaunchAgents and RunAtLoad and true. This analytic helps us find multiple macOS malware families establishing LaunchAgent persistence.
- Look for a process that appears to be sqlite3 executing in conjunction with a
command line that contains: LSQuarantine. This analytic helps us find multiple macOS malware families manipulating or searching metadata for downloaded files.
- Look for a process that appears to be curl executing in conjunction with a command line that contains: s3.amazonaws.com. This analytic helps us find multiple macOS malware families using S3 buckets for distribution.

The first piece of malware capable of running natively on M1 Macs was discovered just days ago. Technical details about this second piece of malware can be found in Red Canary's blog post, and Ars Technica has a good explainer as well.

Tag: M1 Guide

Top Rated Comments

Vol Braakzakje Avatar
Vol Braakzakje
23 months ago
it’s Intel that tries to get people afraid to buy M1s
Score: 22 Votes (Like | Disagree)
chachawpi Avatar
chachawpi
23 months ago

Nothing more than fear mongering. These are just existing Mac malware/adware exploits that are being ported to run on ARM. So, what? What would you expect? All this crap comes from Windows/x86/PCs to begin with. And then MR gives is front page status? It's the same stuff that ALREADY EXISTS on other Macs and Windows PCs, for crying out loud! Click bait. Boo.
If security researchers say it's a big deal, it's a big deal. Why so defensive anyway?
Score: 14 Votes (Like | Disagree)
Joniz Avatar
Joniz
23 months ago

Nothing more than fear mongering. These are just existing Mac malware/adware exploits that are being ported to run on ARM. So, what? What would you expect? All this crap comes from Windows/x86/PCs to begin with. And then MR gives is front page status? It's the same stuff that ALREADY EXISTS on other Macs and Windows PCs, for crying out loud! Click bait. Boo.
Because it’s nice to hear that more developers are porting to Apple Silicon.

It’s a feel-good article.
Score: 14 Votes (Like | Disagree)
CmdrLaForge Avatar
CmdrLaForge
23 months ago
Ok, how does this article help in avoiding the threat or detecting it. How does one get infected?
Score: 10 Votes (Like | Disagree)
Populus Avatar
Populus
23 months ago
Well, color me concerned.

Is this threat capable of infecting without our consent? (This is, allowing privileges when it tries to install itself). You know, requiring us to put the system password when required. Because otherwise, we should be safe just installing only from well known sources. Or Open Source software.

By the way thank you MacRumors (@Joe Rossignol, @arn) for letting us know about this issues. Just like on other issues like staingate and the butterflykeyboardgate, It is great that you report all this problems even if some people don’t like to hear about them.
Score: 9 Votes (Like | Disagree)
Populus Avatar
Populus
23 months ago

Thank you! I will not be buying anything that says M1 or M1x for at least 2 years.
Actually -and anyone who thinks I am wrong, please correct me- I think this threat is the same for Intel and M1 macs. It is compiled for both architectures.
Score: 8 Votes (Like | Disagree)
Read All Comments

Related Stories

mac mini quinn nelson

YouTuber Modifies M1 Mac Mini to Be 78% Smaller

Wednesday March 2, 2022 5:06 am PST by
A YouTuber has successfully made the M1 Mac mini 78% smaller and added MagSafe in a unique DIY project, highlighting Apple's iterative approach to the current entry-level Mac mini ahead of the expected launch of a redesigned high-end model. When Apple introduced the M1 Mac mini in November 2020, it retained the exact same unibody design that the company has used since 2010. Subsequent teardow...
Read Full Article124 comments
General Dropbox Feature

macOS 12.3 Will Include Cloud Storage Changes Affecting Dropbox and OneDrive

Tuesday January 25, 2022 3:31 pm PST by
Dropbox today announced that users who update to macOS 12.3 once that software version becomes available may temporarily encounter issues with opening online-only files in some third-party apps on their Mac. In a support document and an email to customers, Dropbox said it is actively working on full support for online-only files on macOS 12.3 and will begin rolling out an updated version of...
Read Full Article70 comments
mac mini intel gray

Mac Mini and Mac Pro are Apple's Last Two Remaining Intel Macs With Launch of Mac Studio

Tuesday March 8, 2022 11:31 am PST by
With the launch of the new Mac Studio that replaces the higher-end 27-inch Intel iMac, Apple has just two Intel Macs left in its lineup - the Mac Pro and the Mac mini. Though the Mac Studio appears to be something of a Mac mini and Mac Pro hybrid, Apple has not discontinued the high-end Intel Mac mini and it remains in the lineup. This suggests a new version of the high-end Mac mini is...
Read Full Article56 comments
march 2022 event coverage

Apple Event Live Blog: iPhone SE, iPad Air, Mac Studio, and More

Tuesday March 8, 2022 9:01 am PST by
Apple's virtual "Peek Performance" event kicks off today at 10:00 a.m. Pacific Time, where we're expecting to see new iPhone SE and iPad Air models, as well as at least one new Mac model. Apple is providing a live video stream on its website, on YouTube, and in the company's TV app across its platforms. We will also be updating this article with live blog coverage and issuing Twitter updates ...
Read Full Article1485 comments
13 inch macbook pro m2 mock feature 2

New M2-Powered MacBooks Could Be Conspicuously Absent At Today's Apple Event

Tuesday March 8, 2022 6:58 am PST by
Last-minute rumors leading up to Apple's "Peek Performance" event have cast doubt on long-running expectations that Apple will reveal a new or updated MacBook model with an M2 chip on Tuesday. Last month, Bloomberg's Mark Gurman reported that Apple was preparing to launch at least one new Mac at its March 8 event, and at the time Gurman speculated that it would likely be a high-end Mac mini...
Read Full Article124 comments
f1646764298

Apple Announces 'M1 Ultra' Chip With 20-Core CPU, Up to 64-Core GPU, and Support for 128GB of Memory

Tuesday March 8, 2022 10:28 am PST by
Apple today announced the M1 Ultra chip, the third iteration to the M1 family, and it represents the next "breakthrough" for Apple Silicon. M1 Ultra consists of two M1 Max chips connected with die-to-die technology called "UltraFusion." The new highest-end chip of Apple Silicon features 114 billion transistors, with higher support for bandwidth memory at 800GB/s. "M1 Ultra is another...
Read Full Article117 comments
m3 feature black

TSMC Expected to Begin 3nm Chip Production in Late 2022 Ahead of First M3 Macs

Thursday December 23, 2021 8:36 am PST by
TSMC plans to begin commercial production of chips built on its 3nm process in the fourth quarter of 2022, according to industry sources cited by DigiTimes. The full report has yet to be published, so no additional details are available at this time. Apple is expected to release its first devices with 3nm chips fabricated by TSMC in 2023, including Macs with M3 chips and iPhone 15 models...
Read Full Article123 comments
aws ec2 m1 mac mini

Amazon's EC2 Service to Offer M1 Mac Mini Instances for Faster Build Times

Thursday December 2, 2021 9:43 am PST by
Amazon today announced that its Elastic Compute Cloud (EC2) service is now offering a "preview" of M1 Mac mini instances in the Amazon Web Services (AWS) regions of U.S. East and U.S. West, with other regions to be available when the instances are fully released. An "instance" is a virtual server available for rent through Amazon's EC2 service for running apps on AWS infrastructure....
Read Full Article21 comments

Popular Stories

Cyber Monday Deals Feature 2022

Best Cyber Monday Apple Deals Still Available for AirPods, Apple TV, iPad, and More

Monday November 28, 2022 5:24 am PST by
The Black Friday and Cyber Monday holiday shopping rush is drawing to a close, but there are still some good deals to be had out there. For Apple products, many of the deals you've seen since last week are still available, though some have expired. So for anyone who missed out on Black Friday deals, there's still an opportunity to get some of the year's best prices on many Apple devices. Note: ...
Read Full Article12 comments
iPhone 14 Pro Rear Camera

iPhone 15 to Use 'State-of-the-Art' Image Sensor From Sony for Better Low-Light Performance

Monday November 28, 2022 11:00 am PST by
Apple's upcoming iPhone 15 models will be equipped with Sony's newest "state of the art" image sensors, according to a report from Nikkei. Compared to standard sensors, Sony's image sensor doubles the saturation signal in each pixel, allowing it to capture more light to cut down on underexposure and overexposure. Nikkei says that it is able to better photograph a person's face even with...
Read Full Article138 comments
Apple Watch Ultra Oceanic Plus App

Apple Announces Oceanic+ App Now Available for Apple Watch Ultra

Monday November 28, 2022 6:11 am PST by
Apple today announced that the Oceanic+ app is available for the Apple Watch Ultra starting today. Designed by Huish Outdoors in collaboration with Apple, the app serves as a dive computer for recreational scuba diving at depths up to 40 meters/130 feet. Apple already offers a basic Depth app on the Apple Watch Ultra for viewing your current depth, maximum depth reached, water temperature,...
Read Full Article120 comments
app store awards 2021

Apple Announces 2022 App Store Award Winners, Highlighting Best Apps of the Year

Tuesday November 29, 2022 3:10 am PST by
Apple today announced its 2022 App Store Award winners, highlighting the 16 best apps and games selected by Apple's global App Store editorial team. The top apps were chosen by Apple for their quality, innovative technology, creative design, positive cultural impact, and ability to deliver "exceptional experiences." Apple CEO Tim Cook said: This year's App Store Award winners reimagined...
Read Full Article37 comments
rapid security response

Apple Releases Another Rapid Security Response Update for iOS 16.2 Beta Users

Monday November 28, 2022 10:16 am PST by
Apple today released a Rapid Security Response update that is available for those running the iOS 16.2 beta, marking the launch of the second RSR update since the feature was released in iOS 16. The Rapid Security Response Update is designed to provide iOS 16.2 beta users with bug fixes without the need to install a full update. The initial RSR release for iOS 16.2 beta users was a test with ...
Read Full Article34 comments
twitter elon musk

Elon Musk Claims Apple Has 'Mostly Stopped' Offering Ads on Twitter and Is Making Moderation Demands

Monday November 28, 2022 10:42 am PST by
Apple has cut back on its Twitter advertising, according to Twitter CEO Elon Musk. In a tweet, Musk said that Apple has "mostly stopped" its Twitter ads, asking if Apple hates "free speech." Musk went on to publish a poll asking if Apple should "publish all censorship actions" taken that impact customers and he began retweeting content from companies that Apple has had moderation discussions ...
Read Full Article1380 comments
iphone 11 tesla cybertruck close up

Elon Musk Pledges to Build iPhone Rival If Apple Ousts Twitter

Tuesday November 29, 2022 2:48 am PST by
Elon Musk has pledged to offer an "alternative phone" if Apple and Google remove Twitter from their app stores, adding to long-standing rumors about an iPhone rival from Tesla. Modified iPhone 11 Pro in the style of the Tesla Cybertruck, by Caviar. Musk's remark came after being asked about the potential scenario of Twitter being removed from app stores, which could conceivably happen if the...
Read Full Article
General Black Friday Deals 2022 Green

All the Apple Black Friday Deals You Can Still Get

Friday November 25, 2022 4:40 am PST by
Although Black Friday is now technically over, many Apple products are still seeing major discounts through the weekend as we head into Cyber Monday. In this article, you'll find every Apple device with a notable Black Friday sale that's still available. We'll be updating as prices change and new deals arrive, so be sure to keep an eye out if you don't see the sale you're looking for yet. Note:...
Read Full Article49 comments