Silver Sparrow Malware Discovered on 30,000 Macs with No Detectable Payload

Red Canary security researchers announced Friday that malware they dubbed Silver Sparrow was found on nearly 30,000 macOS devices. Silver Sparrow is notable for a few reasons: it already targets Apple silicon, it‘s set to remove all traces of itself when it detects a specific file, and it doesn’t seem like it actually does anything yet.

Researchers at MalwareBytes and VMWare Carbon Black contributed to Red Canary’s findings. MalwareBytes data showed that Silver Sparrow had infected 29,139 devices in the U.S., UK, Canada, France, Germany, and 148 other countries as of February 17. The actual number of infections is probably higher; MalwareBytes isn’t omniscient.

Red Canary said it discovered two versions of Silver Sparrow. The first only targeted macOS devices featuring Intel processors, but the second expanded to include the M1 chip that Apple introduced in November 2020, which means the malware’s unidentified creators are among the first to target the company’s Arm-based silicon.

But so far, Silver Sparrow doesn’t actually deliver a payload to infected devices. The first version of the malware contained a binary that simply displayed a “Hello, World!” message; the second displayed a message saying, “You did it!” Red Canary said the binaries were likely placeholders for a payload that hasn’t arrived yet.

Silver Sparrow can run a file check that leads to the removal of “all persistence mechanisms and scripts” if it finds “~/Library/._insu” on the disk. Red Canary said that particular file “does not appear present by default on macOS and we currently don’t know the circumstances under which the file appears.”

These are common traits of sophisticated attacks that find as many devices as possible, establish a presence on those devices, and await further instructions. The missing payload can be distributed when the malware’s creators are ready, and the file check can be used to exclude specific devices from the operation.

That’s why Red Canary decided to share its findings when it did. The company said:

 “Though we haven’t observed Silver Sparrow delivering additional malicious payloads yet, its forward-looking M1 chip compatibility, global reach, relatively high infection rate, and operational maturity suggest Silver Sparrow is a reasonably serious threat, uniquely positioned to deliver a potentially impactful payload at a moment’s notice.”

Red Canary shared a list of indicators that Silver Sparrow has infected a device—version 1 or version 2 alike—in its announcement. The company also shared a few signs that aren’t specific to Silver Sparrow but could also indicate whether or not other malware is present on a given device.