Red Canary in February 2021, Silver Sparrow is a curious type of malware because it does not possess an actual payload, meaning that it does not have a functionality. So far, all the 40,000 Macs infected have not been affected by additional components triggered after downloading Silver Sparrow. The binaries delivered were simple “bystanders”, as called by the Red Canary research team. This prompted some cybersecurity researchers to consider Silver Sparrow a simple proof of concept that spread to a large number of devices. However, this doesn’t mean that it is not a threat to Mac security.
“Even if Silver Sparrow seems to be still in the early stages of development and activity, the fact that it can download and run any binary in a stealthy approach raises concerns in terms of security, but also gives a glimpse into the purpose of the attackers: they could use this method to further evolve Silver Sparrow, transforming it into a more serious threat or download other malware families, thus using Silver Sparrow as rentable distribution channel for other malicious files,” says Bogdan Anghelache from Avira Protection Labs.
According to Avira Protection Labs, there are two versions of this malware family: one that is compiled only for the Intel x86_64 architecture (can be recognized by the agent_updater string IOC) and one that is compiled for both Intel x86_64 and Apple M1 ARM architectures (can be recognized by the verx_updater string IOC).
Pirrit is an adware that has been distributed as utility software since 2016. Disguised as a video player or PDF reader, Pirrit has been infecting macOS and Windows devices. It has the capacity to make itself persistent, which means that it can run in the background, by creating a LaunchDaemon and posing as a legitimate Apple application.
Pirrit is used to spy on users’ browser activities and inject advertisements into the browser. After being installed, it typically scans the extensions installed in Safari and removes them. In conducting its spying and ads injecting activities, OSX Pirrit evolved from downloading and installing malicious browser injections to modifying internal properties of different installed browsers such as Firefox and Chrome. It also changes the browser’s default search provider to “tika-search.com” or “delta-search.com”. OSX Pirrit uses a specially crafted binary that runs in the background to take control over the targeted browser and monitor the user activity. Based on that activity (links visited, search queries), this malicious component injects ads into the web page or opens new tabs with a specific ad.
Since the infected Xcode projects are modified to run a malicious code, not only does XCSSET affect the victim’s computer, but also all other users to whom developers distribute their project. With many developers collaborating on platforms such as GitHub, the malware can be easily spread and generate supply-chain attacks.
Apple has just begun its transition to ARM processors for Mac, and the Intel x86 and ARM architectures will coexist for a long time. At this point, Intel’s x86 architecture dominates the market by far and, consequently, the volume of malware targeting x86 devices is much higher. However, cybercriminals’ interest in the ARM architecture will rise in parallel to the public’s interest. Silver Sparrow, Pirrit, and XCSSET are just the first of many threats that will be targeting ARM-based Macs, threatening Mac security.
For end users, it’s important to be aware of all the dangers lurking online, from the different types of viruses and malware to phishing and elaborate social engineering attacks. With a good knowledge of cyberthreats and the right tools to protect your devices and data, the risk of falling prey to cybercriminals is low. For additional protection, make sure to check out Avira Free Security for MacOS.