- Author|luochicun
- Source|Shouhou.com
- Release time|2021-02-26
A few days after the first batch of malware targeting the Apple M1 chip was discovered in the wild in the new year, the researchers disclosed another previously undetected malware. As of press time, the malware has been running Intel on approximately 30,000 units. It was found in x86_64 Mac and iPhone manufacturers’ M1 processors.
However, the ultimate goal of the operation is currently unknown. Due to the lack of the next stage or final payload, researchers cannot determine its propagation schedule and whether the attack is still in active development.
At present, the network security company Red Canary has named the malware "Silver Sparrow" and discovered two different versions of the malware. The first one is only compiled for Intel x86_64 and uploaded to VirusTotal on August 31, 2020 (version 1) The second variant is compatible with Intel x86_64 and M1 ARM64 architecture (version 2) submitted to the database on January 22.
Given that the Silver Sparrow binary file "seems to be less useful," Red Canary calls it the "bystander binary file." When executed on an Intel-based Mac, the malicious package just displayed a message with "Hello, "World!" is a blank window of information, and the Apple silicon binary file will cause a red window to appear, saying "You did it!" on it.
)
This Red Canary Tony Lambert (Tony Lambert) explains:
The binaries compiled by Mach-O don’t seem to do much, so we’ve always referred to them as “bystander binaries. We can’t determine what payload the malware will allocate, whether the payload has been delivered and deleted or the attack Do you have a timetable for planning the spread in the future.
)
Malwarebytes' data shows that as of February 17, 29,139 macOS terminals have been detected in 153 countries/regions, including the United States, the United Kingdom, Canada, France, and Germany.
Although the target macOS platforms are different, the two examples follow the same method of operation: use the macOS Installer JavaScript API to execute attack commands by dynamically generating two shell scripts written to the target file system.
Although "agent.sh" is executed immediately at the end of the installation to notify the AWS command and control (C2) server that the installation is successful, "verx.sh" runs once an hour, contacting the C2 server to download and perform other operations.
In addition, the malware also has the ability to completely delete its existence from the attacked device, which indicates that the attacker related to the activity may have participated in the development of hidden technology.
At present, Apple has learned of this attack method and revoked the binary files signed with Saotia Seay (v1) and Julie Willey (v2) of Apple Developer ID, thereby preventing further installation.
Silver Sparrow is the second type of malware that contains code that can run locally on Apple's new M1 chip. A Safari adware extension called GoSearch22 discovered last week has been ported to run on the latest generation of Macs powered by new processors. It is reported that the first person who discovered the malware was a security researcher named Partick Wardle. He discovered the existence of a malware called GoSearch22.app on the M1 platform. This malicious extension is one of the oldest and most active Mac adware, and is known for its constant changes to evade detection. The GoSearch22 adware acts as a genuine Safari browser extension, but it collects user data and provides a large number of advertisements, pop-up windows, and links to malicious websites. Gosearch22 runs in the form of M1 compatible code. Although the code logic of the malicious program is the same on different platforms, the anti-virus software can easily detect the intel-x86 version, but it is indifferent to the ARM-M1 version. Therefore, up to now, most anti-virus software cannot identify and kill the M1 version of the malware.
Lambert said:
Although we have not observed that Silver Sparrow can provide additional malicious payloads, its forward-looking M1 chip compatibility, global spread, relatively high infection rate and operational maturity indicate that Silver Sparrow is a serious threat , Its unique storage location can download malicious payloads immediately upon notification.
Red Canary currently shares how to detect a series of macOS attacks, but these steps are not specifically aimed at detecting Silver Sparrow:
- Look for a process that seems to be PlistBuddy and execute it with a command line containing the following: launchAgents and RunAtLoad and true. This analysis can help us find multiple macOS malware families to establish the persistence of LaunchAgent.
- Look for a process that seems to be sqlite3, which is executed with the following command line. LSQuarantine. This analysis can help us find multiple macOS malware families, manipulate or search the metadata of downloaded files.
- Look for a process that seems to be curl execution. The command line of the process contains: s3.amazonaws.com. This analysis can help us find multiple macOS malware families that use S3 buckets for distribution.
