30,000 Macs infected with new Silver Sparrow malware

Security researchers have spotted a new malware operation targeting Mac devices that has silently infected almost 30,000 systems.

Named Silver Sparrow, the malware was discovered by security researchers from Red Canary and analyzed together with researchers from Malwarebytes and VMWare Carbon Black.

“According to data provided by Malwarebytes, Silver Sparrow had infected 29,139 macOS endpoints across 153 countries as of February 17, including high volumes of detection in the United States, the United Kingdom, Canada, France, and Germany,” Red Canary’s Tony Lambert wrote in a report published last week.

But despite the high number of infections, details about how the malware was distributed and infected users are still scarce, and it’s unclear if Silver Sparrow was hidden inside malicious ads, pirated apps, or fake Flash updaters —the classic distribution vector for most Mac malware strains these days.

Furthermore, the purpose of this malware is also unclear, and researchers don’t know what its final goal is.

Once Silver Sparrow infects a system, the malware just waits for new commands from its operators —commands that never arrived during the time researchers analyzed it, hoping to learn more of its inner workings prior to releasing their report.

But this shouldn’t be interpreted as a failed malware strain, Red Canary warns. It may be possible that the malware is capable of detecting researches analyzing its behavior and is simply avoiding delivering its second-stage payloads to these systems.

The large number of infected systems clearly suggests this is a very serious threat and not just some threat actor’s one-off tests.

Silver Sparrow supports M1 chips

In addition, the malware also comes with support for infecting macOS systems running on Apple’s latest M1 chip architecture, once again confirming this is a novel and well-maintained threat.

In fact, Silver Sparrow is the second malware strain discovered that can run on M1 architectures after the first was discovered just four days before, showing exactly how cutting-edge this new threat really is.

“Though we haven’t observed Silver Sparrow delivering additional malicious payloads yet, its forward-looking M1 chip compatibility, global reach, relatively high infection rate, and operational maturity suggest Silver Sparrow is a reasonably serious threat, uniquely positioned to deliver a potentially impactful payload at a moment’s notice,” Lambert warned in his report.

“Given these causes for concern, in the spirit of transparency, we wanted to share everything we know with the broader infosec industry sooner rather than later.”

The Red Canary report contains indicators of compromise, such as files and file paths created and used by the malware, which can be used to detect infected systems.