The malware, called Silver Sparrow, has not yet engaged in malicious activity.
Mysterious malware ̵
The malware, called Red Canary as “Silver Sparrow”, confuses researchers because of its elusive motives.
“Most malware has an ultimate goal,” Brian Donohue, an intelligence analyst at Red Canary, told ABC News via email. “It could be stealing sensitive information, causing damage to devices or servers, or blocking access to data. In this case, we do not really know what the ultimate goal is because we have not observed Silver Sparrow engaging in malicious activity. . “
However, Donohue noted that most malware operations consist of several supporting features that occur before performing malicious activity, such as gaining initial access or moving between devices on a network.
“In the case of Silver Sparrow, we have seen other parts of the malware operation, although we have not observed the final payload,” he added. “For example, we’ve observed it using macOS built-in features to install itself on sacrificial machines and maintain persistence across reboots.”
Donohue said a member of Red Canary’s cyber incident response team first discovered malware – which includes a code running on Apple’s new M1 chip – based on suspicious behavior from a customer’s device. They have not identified its origin.
“As of today, we can confirm that the threat has infected nearly 40,000 macOS devices,” he told ABC News, citing published data from antivirus firm Malwarebytes, though he said it was likely an “underestimation of the overall scale of the threat.” “
He added that malware has been called mysterious for two reasons, including that it lacks an ultimate payload, and researchers cannot determine the purpose of the threat.
“The second concerns a file that, if found on an infected machine, causes Silver Sparrow to uninstall itself,” Donohue said. “We do not know why this file exists on certain systems or why its presence causes Silver Sparrow to uninstall itself.”
Although Silver Sparrow is not currently delivering a malicious payload, Donohue said they are “concerned that it may be updated to deliver one at a moment’s notice.”
“This is reinforced by the fact that it has the presence of nearly 40,000 machines and all the infrastructure needed to support one more regarding threat,” he said.
Apple told ABC News that it revoked the certificates for the developer accounts used to sign the packages, preventing new machines from becoming infected after detecting malware.
Apple noted its security protections and mechanisms, saying the App Store is the safest place to download software for Mac computers. In addition, Apple said it uses industry-leading technical mechanisms to protect users by detecting and blocking malware for software downloaded outside the Mac App Store.
The company also noted, as was made clear by the researchers, that there is no evidence that the new malware has delivered a malicious payload.