M1 Macs Targeted by Additional Malware, Exact Threat Remains a Mystery

The second known piece of malware that has been compiled to run natively on M1 Macs has been discovered by security firm Red Canary.

m1 mac mini screen
Given the name "Silver Sparrow," the malicious package is said to leverage the macOS Installer JavaScript API to execute suspicious commands. After observing the malware for over a week, however, neither Red Canary nor its research partners observed a final payload, so the exact threat that the malware poses remains a mystery.

Nevertheless, Red Canary said the malware could be "a reasonably serious threat":

Though we haven't observed Silver Sparrow delivering additional malicious payloads yet, its forward-looking M1 chip compatibility, global reach, relatively high infection rate, and operational maturity suggest Silver Sparrow is a reasonably serious threat, uniquely positioned to deliver a potentially impactful payload at a moment's notice.

According to data provided by Malwarebytes, "Silver Sparrow" had infected 29,139 macOS systems across 153 countries as of February 17, including "high volumes of detection in the United States, the United Kingdom, Canada, France, and Germany." Red Canary did not specify how many of these systems were M1 Macs, if any.

Given that the "Silver Sparrow" binaries "don't seem to do all that much" yet, Red Canary referred to them as "bystander binaries." When executed on Intel-based Macs, the malicious package simply shows a blank window with a "Hello, World!" message, while the Apple silicon binary leads to a red window that says "You did it!"

you did it silver sparrow
Red Canary shared methods for detecting a wide array of macOS threats, but the steps are not specific to detecting "Silver Sparrow":

- Look for a process that appears to be PlistBuddy executing in conjunction with a command line containing the following: LaunchAgents and RunAtLoad and true. This analytic helps us find multiple macOS malware families establishing LaunchAgent persistence.
- Look for a process that appears to be sqlite3 executing in conjunction with a
command line that contains: LSQuarantine. This analytic helps us find multiple macOS malware families manipulating or searching metadata for downloaded files.
- Look for a process that appears to be curl executing in conjunction with a command line that contains: s3.amazonaws.com. This analytic helps us find multiple macOS malware families using S3 buckets for distribution.

The first piece of malware capable of running natively on M1 Macs was discovered just days ago. Technical details about this second piece of malware can be found in Red Canary's blog post, and Ars Technica has a good explainer as well.

Top Rated Comments

Vol Braakzakje Avatar
10 months ago
it’s Intel that tries to get people afraid to buy M1s
Score: 22 Votes (Like | Disagree)
chachawpi Avatar
10 months ago

Nothing more than fear mongering. These are just existing Mac malware/adware exploits that are being ported to run on ARM. So, what? What would you expect? All this crap comes from Windows/x86/PCs to begin with. And then MR gives is front page status? It's the same stuff that ALREADY EXISTS on other Macs and Windows PCs, for crying out loud! Click bait. Boo.
If security researchers say it's a big deal, it's a big deal. Why so defensive anyway?
Score: 14 Votes (Like | Disagree)
Joniz Avatar
10 months ago

Nothing more than fear mongering. These are just existing Mac malware/adware exploits that are being ported to run on ARM. So, what? What would you expect? All this crap comes from Windows/x86/PCs to begin with. And then MR gives is front page status? It's the same stuff that ALREADY EXISTS on other Macs and Windows PCs, for crying out loud! Click bait. Boo.
Because it’s nice to hear that more developers are porting to Apple Silicon.

It’s a feel-good article.
Score: 14 Votes (Like | Disagree)
CmdrLaForge Avatar
10 months ago
Ok, how does this article help in avoiding the threat or detecting it. How does one get infected?
Score: 10 Votes (Like | Disagree)
Populus Avatar
10 months ago
Well, color me concerned.

Is this threat capable of infecting without our consent? (This is, allowing privileges when it tries to install itself). You know, requiring us to put the system password when required. Because otherwise, we should be safe just installing only from well known sources. Or Open Source software.

By the way thank you MacRumors (@Joe Rossignol, @arn) for letting us know about this issues. Just like on other issues like staingate and the butterflykeyboardgate, It is great that you report all this problems even if some people don’t like to hear about them.
Score: 9 Votes (Like | Disagree)
Populus Avatar
10 months ago

Thank you! I will not be buying anything that says M1 or M1x for at least 2 years.
Actually -and anyone who thinks I am wrong, please correct me- I think this threat is the same for Intel and M1 macs. It is compiled for both architectures.
Score: 8 Votes (Like | Disagree)

Related Stories

mac security privacy

Apple Takes Step to Prevent Further Spread of 'Silver Sparrow' Malware on Macs

Monday February 22, 2021 6:13 am PST by
Over the weekend, we reported on the second known piece of malware compiled to run natively on M1 Macs. Given the name "Silver Sparrow," the malicious package is said to leverage the macOS Installer JavaScript API to execute suspicious commands. After observing the malware for over a week, however, security firm Red Canary did not observe any final payload, so the exact threat to users remains a...
redshift for mac

Maxon's Redshift Now Available for macOS With Support for Metal and M1 Macs

Tuesday April 13, 2021 12:38 pm PDT by
Maxon is bringing its GPU-accelerated renderer Redshift to macOS, with support for Apple's line of M1 Macs and Apple's Metal Graphics API for speedy performance on Apple's machines. Lunar Animation director James Rodgers says his company is seeing "crazy results" rendering with Redshift on a Mac Pro with Metal support. "A typical frame from the very effects heavy game cinematic we created...
imac color options

Apple's $1,299 M1 iMac Available in Blue, Green, Pink and Silver, With Yellow, Orange and Purple Limited to $1,499 Versions

Tuesday April 20, 2021 11:37 am PDT by
Apple's new M1 iMacs are available in a range of color options that include Blue, Green, Pink, Silver, Yellow, Orange, and Purple. The new machines feature vibrant colored backs with lighter colors for the chin and accompanying stand. Apple is limiting color availability by price point. The entry-level $1,299 M1 iMac is available in Blue, Green, Pink and Silver, while the higher-end $1,499...
rosetta 2

Rosetta May Be Removed From M1 Macs in Some Regions on macOS 11.3

Tuesday March 2, 2021 5:20 pm PST by
Installing the upcoming macOS 11.3 software update on an M1 Mac may result in Rosetta 2 being removed in one or more regions around the world. In the third beta of macOS 11.3 seeded to developers for testing today, MacRumors contributor Steve Moser uncovered new strings in the beta's code indicating that "Rosetta will be removed upon installing this update." Another new string reads "Rosetta ...
apple security banner

macOS 11.3 Patches Security Vulnerability That Bypassed Built-In Malware Protections

Monday April 26, 2021 11:03 am PDT by
Apple today confirmed to TechCrunch that the just-released macOS 11.3 software update patches a security vulnerability that reportedly could have allowed a hacker to remotely access a user's sensitive data by tricking a user into opening a spoofed document. "All the user would need to do is double click — and no macOS prompts or warnings are generated," said security researcher Cedric...
docker for mac

Docker Desktop for Mac Updated With Apple Silicon Support

Thursday April 15, 2021 9:00 am PDT by
Docker today announced that it has launched a new version of Docker Desktop for Mac with Apple silicon support, allowing developers to use the Docker software on the M1 MacBook Pro, MacBook Air, and Mac mini. Prior to launching, the version of Docker Desktop for Mac with M1 compatibility has been available as a technical preview, and Docker says that testers have found the software to be...
m2 feature

Apple's 'M2' Next-Gen Mac Chip Enters Mass Production, Expected to Debut in Redesigned MacBooks Later This Year

Tuesday April 27, 2021 1:38 am PDT by
Apple's custom next-generation Mac processor entered mass production this month, claims a new report today from Nikkei Asia. Tentatively dubbed the "M2" after Apple's M1 chip, the processors take at least three months to produce and could begin shipping as early as July in time for incorporation in Apple's next line of MacBooks, according to the paper's sources. The next generation of Mac...
m1 mac family

Apple Now Selling More M1 Macs Than Intel-Based Models, Says Tim Cook

Wednesday April 21, 2021 4:34 am PDT by
Despite only being released in November, sales of the M1-powered MacBook Air, MacBook Pro, and Mac mini now represent the majority of Mac sales, outperforming Mac computers powered by Intel processors, according to Apple CEO Tim Cook. Cook made the remarks during Apple's "Spring Loaded" event yesterday, where it introduced a completely redesigned 24-inch iMac powered by the M1 Apple silicon...
parallels windows 10 arm mac

Parallels 16.5 Can Virtualize ARM Windows Natively on M1 Macs With Up to 30% Faster Performance

Wednesday April 14, 2021 7:00 am PDT by
Parallels today announced the release of Parallels Desktop 16.5 for Mac with full support for M1 Macs, allowing for the Windows 10 ARM Insider Preview and ARM-based Linux distributions to be run in a virtual machine at native speeds on M1 Macs. Parallels says running a Windows 10 ARM Insider Preview virtual machine natively on an M1 Mac results in up to 30 percent better performance compared ...