Checklist 220: Malware and the M1 with Patrick Wardle
This week on the Checklist, security researcher Patrick Wardle joins us to discuss the new Silver Sparrow malware variant. We’ll cover:
Security Note: If you’re a MacScan 3 user, your software already has access to definitions for the Silver Sparrow malware discussed in this episode. MacScan will update its definitions automatically the next time you launch it. If you don’t currently use MacScan, you can download a free 30-day trial version of the software from our site.
Little Bird. Big Deal?
Last week, security researchers announced that they had uncovered a new piece of macOS malware. Named “Silver Sparrow” by the researchers who discovered it, the new Mac malware variant is notable in that it runs on both older Intel machines and the new M1 Macs. According to data collected by other cybersecurity firms, Silver Sparrow malware has infected at least 30,000 Macs worldwide.
Patrick Wardle, a prominent member of the Mac security research community, joined us to discuss Silver Sparrow — and to talk about how it fits into the larger picture of macOS security.
As we mentioned, the big news about Silver Sparrow is that it doesn’t just run on the older Intel Macs, which use the x86 processor architecture, but also on the new ARM-based Apple Silicon Macs (i.e., the ones with the M1 chip inside).
However, while we know what machines Silver Sparrow can affect, it’s less clear what the malware actually does. Researchers have found that it installs a persistence mechanism (the ability to survive reboots) upon infection. They also know that it connects to a command and control server to obtain an additional malicious payload. However, no one has actually seen one of these payloads! In all of the “in the wild” infections spotted by security teams, no extra malicious components were actually downloaded.
The large number of infections with “missing payloads” has led some journalists to talk about Silver Sparrow as an especially mysterious piece of malware. But Wardle suspects that the malware is most likely a run-of-the-mill adware dropper, and that we’re merely seeing the early stages of its deployment:
My guess is that the first step is “growing a user base”: seed an environment, infect a lot of users, and then you can swap in your adware-related payloads at a later time. You can swap in and swap out different payloads based on “market trends” in the adware space. Maybe the best way to make money this week is to generate referral links; but perhaps next week it’s injecting ads into webpages. [Silver Sparrow] has a customizable payload component, but this isn’t incredibly unusual … it’s actually just good software design.
For the same reason, there’s probably nothing all that special about Silver Sparrow’s ability to remove itself from infected systems — a feature that has been compared to what you find in nation-state malware. Wardle thinks that in the case of Silver Sparrow, it’s probably a sign of quality more than anything else:
Malware is simply software (albeit with malicious intent). In well-designed software, you have an installer, but you also have the ability to uninstall it. That’s just good software engineering practice … it’s not a feature we see in all adware, but that doesn’t make this a “high-stealth” operation. It’s just that it was written by a competent software engineer!
The M1 and Mac security
The good news is that Apple has taken action to halt the spread of Silver Sparrow malware. They’ve already revoked the certificates of the developer accounts that signed the original malware. This should prevent any additional infections (at least for malware installers signed using those developer IDs).
It’s less clear if already-infected machines will be stopped from running malicious Silver Sparrow components. In many cases, Mac malware relies on code-signed installers, but then uses unsigned persistent components. These unsigned components are still able to run even after the IDs used to sign the installers get blocked.
Wardle points out that the Mac does come with its own basic anti-malware protection. This includes the macOS Malware Removal Tool (MRT), which gets automatic definition updates from Apple. Because of this, MRT may be able to detect code strings belonging to Silver Sparrow’s unsigned components, and remove the offending files.
In terms of what all of this means for the future of macOS security, there are a couple of takeaways.
For one thing, it’s clear that bad actors are already developing macOS malware for Macs that have the new M1 chip — and that ARM-based Macs will be seeing more malware in the future. In a way, this is pretty unsurprising: Apple’s own Xcode software development tool makes it easy for app developers to create and compile code that runs on both Intel and Apple Silicon Macs. If you’re a “bad guy” writing malware for macOS, it’s trivial to create malware that will work on both Mac hardware architectures.
As for the bigger picture, Silver Sparrow demonstrates what we’ve been saying for a while now. Mac malware is becoming more prevalent, and it’s getting better as well.
As Wardle puts it:
Apple suggests that malware on macOS is incredibly rare, and that they react quickly when it’s detected, so that it’s not widespread. Well, here’s a case where 30,000 infections, and probably way more than that, are occurring in the wild. So it’s notable. It underscores the fact that malware, adware, on the macOS platform is here to stay, and that in some scenarios, there’s at least tens of thousands of infections — that we know of.
The Checklist would like to thank Patrick Wardle for joining us on the program. Here are a few ways to learn more about Patrick and his work:
You can keep up with Patrick on social media by following him on Twitter. In addition, Patrick has a website, objective-see.com, where he maintains a free and open-source collection of Mac security tools — and writes an excellent technical blog focused on macOS security.
Patrick’s forthcoming book, The Art of Mac Malware, discussed in detail on Checklist 196, will soon be available in printed form — but you can also read the book for free online at taomm.org.
Lastly, Patrick is the founder and lead organizer of the Objective by the Sea, the world’s only Mac security conference. The next OBTS will be held in Europe sometime later this year. Details are still being worked out, but if you’d like to get an idea of the diversity and quality of research that goes on at the conference, you can check out our write-ups of OBTS 2.0 and OBTS 3.0.
Do you have a question about security and privacy? A suggestion for a future show topic, or guest? Write to us and let us know!
