Researchers have found a malware variant compatible with that architecture on nearly 30,000 Macs with the new M1 chipset. It is not the first malware tailored for M1 in the wild, but it is striking that it does not yet have payload has.
The researchers argue opposite Ars Technica that the malware keeps in touch with command & controlservers hosted at Amazon and Akamai, making them difficult to block. It is also unknown what exactly the starting signal for the malware is. Who now the binaries of the malware itself is only greeted with the messages “Hello World!” and ‘You did it!’. It is also striking that the malware has a self-destruct mechanism, so that it does not leave any redundant traces after the payload has been expanded.
What is already clear is that the malware is quite contagious. The Red Canary researchers state that the infection rate relatively high is partly due to the fact that there is also compatibility for x86_x64 processors, which older Macs run on. Ars Technica calls the nearly 30,000 infections discovered ‘impressive’. Those infections are mainly concentrated in Western Europe. MalwareBytes also notes that the actual amount of infections is likely to be much higher, as they have not been able to detect all of them.
The researchers speculate that because the malware requests the URL where the installer originally came from upon successful installation, the malware may be spreading through malicious search results and masquerading as a legitimate app.
The researchers, who come from Red Canary and MalwareBytes, state that despite the malware currently not doing anything, the information must be shared with the infosec community. The malware, which they call Silver Sparrow, could get a very harmful payload in the future. The report also details how to investigate whether the malware is present on their system.
–