Early days of a Mac attack campaign
This weekend, the team at Red Canary wrote about a new Mac-focused malware they dubbed Silver Sparrow. Now, identifying new malware is a common activity for research teams across the globe. However, few groups are spending time looking for Mac-specific malware, let alone identifying one of the more interesting examples of a threat framework as it’s growing. It's great to see more researchers interested in Mac malware.
What is Silver Sparrow?
While we suggest you read through the Silver Sparrow report in detail, here are some of the highlights:
- Silver Sparrow is Mac-specific malware. This does not appear to be a cross-platform attack.
- This malware has been found in the wild on more than 29k macOS endpoints, but the first examples were submitted to VirusTotal on August 31, 2020.
- There are two versions of the malware making the rounds: one for Intel-based Macs and one that is a universal binary that attacks M1-based Macs natively.
Image source: redcanary.com
Aspects of Silver Sparrow we haven't seen in Mac malware until now
As we dig into the malware in question, we can see some interesting aspects that we have not often seen in Mac malware up to this point:
- The package (PKG or DMG file) uses preinstall/postinstall scripts to report back to the creators about the infection and achieve persistence.
- The C2 beaconing process attempts to retrieve a payload for the malware. However, up to this point, no payload has been identified.
- A binary is included in the malware that does not seem to be run under any known circumstances. When purposefully executed, it opens up a window that shows the message “Hello, World” or “You did it.”
Of course, a full list of Silver Sparrow's indicators of compromise (IOCs) is listed in the report.
Expect M1-targeted Mac attacks
As we discussed recently, M1-targeted attacks are not unexpected. Any malware built to attack Macs can theoretically be compiled to run on M1 devices directly. Unless something specific in the M1 architecture prevents the attack, the malware will run just fine. Even more so: thanks to Rosetta, even the Intel-targeted version of Mac malware will run on an M1 device.
Malware authors see the same benefits to rebuilding their software for M1 as other developers do: Better performance and lower device impact. We really can’t blame them for adopting the M1 targeted universal binaries.
The question comes down to this: how do we identify and prevent these attacks?
Luckily, this malware appears benign today. Since there is no payload being distributed and the malware without the payload seems to only achieve persistence, the main impact is the potential risk of a future payload, potential exposure of device/network information, and resource consumption. What this does look like is the start of a bigger malware campaign against Macs.
Similar to bot-nets
Malware frameworks like this have been discovered on Windows for many years, but they have been a lot more sparse on Macs. Oftentimes, we’ve referred to them as bot-nets. These kinds of attack campaigns tend to start slow, spreading across many devices quietly until they are activated by the attackers by deploying specific capabilities. This looks like the early parts of a major Mac bot-net. Identifying and combating it now is much easier than trying to break it apart once it has gone active.
Identifying and removing Silver Sparrow from devices
The malware as it stands today is not overly difficult to identify and even remove from devices.
- The list of known versions of the initial PKG/DMG file is short and hashes are available
- The list of both static and dynamic files are well understood
- We know how to identify the LaunchAgent persistence
For that matter, the developer certificate used to sign the initial binaries has been revoked by Apple.
Jamf Protect can help
Of course, Jamf Protect is here to help. We already prevent the execution of the existing (seemingly benign) payload through our Threat Prevention feature. We also prevent the beaconing activity in the shell command that alerts C2 servers to retrieve new workloads.
As we learn more about this malware, we’ll keep you up to date. If you are a Jamf Protect customer, please ensure you have Threat Prevention enabled to keep your devices safe against this and similar attacks.
Jamf Protect is purpose-built endpoint protection for the Mac.