New Silver Sparrow MacOS Malware Uses Unprecedented Techniques, Worldwide Proliferation

Summary

Security researchers at Red Canary disclosed a new malware identified as Silver Sparrow affecting macOS systems. The malware leverages macOS Installer JavaScript APT to execute commands, the first observed use of this technique by malware. There are currently two variants of the malware: version one only affects Intel x86_64 architecture, while version two affects both Intel x86_64 and M1 ARM64 architectures. The malware's command and control infrastructure is hosted on Amazon Web Services' (AWS) S3 cloud platform, while the callback domain is hosted through Akamai's Content Delivery Network (CDN). Researchers assess the threat actors behind Silver Sparrow are advanced and a reasonably serious threat due to the rate of proliferation, capability to infect newly developed M1 ARM64 architecture, and unprecedented use of JavaScript to execute the payload. The initial infection vector and the purpose of this malware have yet to be determined. At the time of this writing, approximately 39,000 devices have been infected across 164 countries.

Recommendations

The NJCCIC recommends macOS users review indicators of compromise (IOCs) found in the Red Canary blog post and the Malwarebytes article to determine infection status. Additionally, users are reminded to follow cybersecurity best practices in order to reduce their risk of malware infection.