The new macOS malware strain has infected almost 30,000 devices so far, running on Apple’s new M1 chips. Most instances were detected in the United States, United Kingdom, Canada, France and Germany, though it has been reported that Silver Sparrow has reached Macs in at least 153 countries.

The peculiar thing about this new malware though – it’s missing a payload. Yep, you read correctly. The malware doesn’t actually do anything yet. You may be wondering why you should care about it at all if so. Well, Red Canary, the security firm that uncovered the malware, says it has unique, advanced characteristics compared to other Mac malware, making it a threat to watch out for. Silver Sparrow quickly reached a high volume of infections around the world, and boasts operational maturity, preparing the ground for the day it does indeed come with a strong payload. The malware also uses Akamai and Amazon Web Services for its command and control infrastructure, potentially making it very complicated to shut down. At the moment, Macs with a Silver Sparrow infection communicate with the C2 server once every hour, waiting for new commands.

Following the Silver Sparrow discovery, Apple revoked the developer certificates of accounts used to sign the packages, preventing new macOS machines from being infected. But what worries security researchers most about this malware is that its purpose is still a mystery, and its next version could pack a real, impactful punch. Red Canary warns – don’t overlook this threat.

The ThreatSTOP team closely follows indicators of compromise for this and other malware strains, protecting our customers with the most up-to-date threat intelligence. ThreatSTOP customers are typically protected from threats like Silver Sparrow through blocking the IP addresses for the C2 servers, and/or blocking the domains being used, which may be newly registered or observed. 

 

Ready to try ThreatSTOP in your network? Want an expert-led demo to see how it works?