Mysterious Macintosh Malware

This is weird:

Once an hour, infected Macs check a control server to see if there are any new commands the malware should run or binaries to execute. So far, however, researchers have yet to observe delivery of any payload on any of the infected 30,000 machines, leaving the malware’s ultimate goal unknown. The lack of a final payload suggests that the malware may spring into action once an unknown condition is met.

Also curious, the malware comes with a mechanism to completely remove itself, a capability that’s typically reserved for high-stealth operations. So far, though, there are no signs the self-destruct feature has been used, raising the question of why the mechanism exists.

Besides those questions, the malware is notable for a version that runs natively on the M1 chip that Apple introduced in November, making it only the second known piece of macOS malware to do so. The malicious binary is more mysterious still because it uses the macOS Installer JavaScript API to execute commands. That makes it hard to analyze installation package contents or the way that package uses the JavaScript commands.

The malware has been found in 153 countries with detections concentrated in the US, UK, Canada, France, and Germany. Its use of Amazon Web Services and the Akamai content delivery network ensures the command infrastructure works reliably and also makes blocking the servers harder. Researchers from Red Canary, the security firm that discovered the malware, are calling the malware Silver Sparrow.

Feels government-designed, rather than criminal or hacker.

Another article. And the Red Canary analysis.

Posted on March 2, 2021 at 6:05 AM19 Comments


Clive Robinson March 2, 2021 8:31 AM

@ Bruce, ALL,

Feels government-designed, rather than criminal or hacker.

Almost certainly a level III attacker but “State or Commercial”? But I must admit the little said makes me think of those that made the likes of Duqu and Flame in particular.

It would be interesting to see if the hourly “ET Phone home to the mothership” sends any particular information, that may be used as an Intelligence Flag.

That is you launch a “Fire and Forget” equivallent of a “loader” that just reports back with basic info. However if the info is a match for “a targets MO” then and only then do you download the “full kit” of tools and only to that computer.

It’s the sort of thing you would do if you know your target practices more than basic opsec and does things like swap computers on a very regular basis as they move about in quite a large geographic area.

Chelloveck March 2, 2021 10:23 AM

Sounds like a bog-standard botnet client to me. Kind of sophisticated, but not unbelievably so. Is there any real evidence that it’s something more? If not, speculation amounts to little more than saying, “I don’t know what it is, therefore it must be aliens!”

Andy March 2, 2021 10:45 AM

So the Command & Control center is an AWS S3 bucket? How hard is it to compel Amazon to give out owner’s information? 30,000 computers running unauthorized software should be reason enough for a judge to issue the warrant, don’t you think?!

Bear March 2, 2021 11:50 AM

Just want to point out for anyone who missed it that “there is no sign that the self-destruct capability has been used” is just another way to spell “if the self-destruct capability has been used then it was used successfully.”

There is no way to detect a successful stealth removal, unless you have a machine whose infection was known and verified in the first place.

Clive Robinson March 2, 2021 2:56 PM

@ Bear,

There is no way to detect a successful stealth removal, unless you have a machine whose infection was known and verified in the first place.

Which you can get from “backup deltas”…

If you backup on a regular basis (say every friday) then if you compare backups the differences will still give you the malware files even after the self destruct has cleaned up.

There is a lot of information contained in backups that if you know what you are doing you can use for security, though understandably few chose to do so.

Which is maybe why the likes of HIDS software that does baseline file system checking such as TripWire and AIDE became popular this century because they do something similar with less pain.

Speaking of pain, for those that want to get real down and dirty you can patch most *nix kernals to log all Create / Update / Delet type file system activity off to a network log, the trick being getting the filter correct.

SpaceLifeForm March 2, 2021 3:09 PM

@ Clive, ALL

“State or Commercial”?

Is there really a difference these days?

Just the periodic pinghomes provides a lot of information.

Using just the ip address and timestamp will tell one a lot. And when missing.

Leaking an ID such as a MAC, and then, over time, one can determine movement.

Correlate with other traffic. Bob’s your uncle.

It’s just a matter of time to psuedo-id the user, where they live, etc.

The real question should be: What information did the user provide at initial setup?

Is it as much as Win10 wants?

Francois March 2, 2021 3:18 PM

It could always be China.

I wonder if this is U.S. CIA/DIA/NSA project, to set up a platform that they might use in the future for cyberwar offense/defense.

It could be organized crime.

And, this is way out there but, I wonder if there are a few billionaires in the world who do extreme contingency planning. I mean, I know for certain their are billionaires with extreme “doomsday prepper with lots of money” contingencies already set up and ready to use. But some of that could be cyber-prepping.

Clive Robinson March 2, 2021 7:10 PM

@ SpaceLifeForm, Bruce, ALL,

With regards the,

“Active exploitation of Microsoft Exchange Zero days”

I guess an upsurge in such attacks would be expected with,”COVID Lockdown” and vastly increased “Homeworking”.

Lets be honest, most “Homeworking” is being done the wrong way as the bulk of people implementing it have had to hit the ground running with next to no resources or experience and “Make it up as you go along” appears to be thr significant MO.

The big problem nobody is realy talking about is the way corporate security is often done. That is it’s often not very good “Perimeter Defence” with nearly all the effort on the Firewall at the gatway and IDS immediately behind it.

Which means once inside that shell nearly all is open and available to an attacker because corporate user systems are realy not “hardened” or “locked down” in any meaningful way incase it gets in the way of “productivity”…

Thus to get those user systems working at home there are two basic solutions,

1, Give them Hard VPN access.
2, Open up the Firewall and ignore the IDS squeals.

The first solution requires the sourcing of equipment which has to be purchased “if” available, which it probably is not[1]. So the “free software” as in no purchase cost approach with the second solution has been the major choice…

I think on somber reflection if you were planing on implementing secure remote access rather than jumping at the point of a gun, the second solution would not be high on your list if on it at all.

[1] Some news is suggesting that Silicon Fabs are not producing chips because of COVID related “feed stock” issues, which has resulted in calls for “Executive action”,

Actually from what I’m hearing the problem is more likely down to four fab plants going off-line due to “accidents” including a major fire that has destroyed AKM’s Fab2 factory I watned about causing “problems down the line” at the time it happened.

The AKM fab speciallised in A to D and D to A converters that are essential for real world control as well as communications systems and personal computers. Which kind of makes them a “critical supplier” for many industries, thus the loss of their chip manufacturing capacity had knock on effects immediately.

With some car manufacturers not placing orders, the Fabs that produced their chips have switched over to producing other chips like those to replace dome of AKM’s to fill the void. The car manufacturers are not realy a big player as far as semiconductors go and they are definately “low profit” thus semiconductor manufacturers are probably not so keen on going back to making their chips when demand thus profit is higher in other market sectors that have lost capacity due to the AKM and other accidents. Thus I here that the aroma of singed sock might be detected in C-Coridor and offices containing MBAs at various auto manufacturers 😉

lurker March 2, 2021 11:33 PM

@Francois: It could always be China.

China has some experience in going the long way round to target Mac malware at Tibetan seccessionists. Previous attacks were phishing or spear-phishing. The current method creates a global smokescreen under which nobody sees the stealth removals from the successful targets

name.withheld.for.obvious.reasons March 3, 2021 4:28 AM

Since the update to the macOS 11 Big Sur includes significant changes that are antithetical to problem determination and change control. The ACL/Perms/Meta i-node modifications include changing all the mod/creat timestamps to one value seems highly problematic. When all system and applications files report values that are the same, an opaque layering that at a minimum calls the validity and integrity of the distribution sources and installation into question. I’d like to know why this is a “useful” thing to do.

Get back with more information soon…

lurker March 3, 2021 11:17 AM

I’ve got a feeling Steve Jobs would never have allowed javascript in the installer.

Thunderbird March 4, 2021 1:23 PM

Please stop saying it must be the Russians every time you have no clue of who did something.

Hmm. That is the first occurance of the string “Russ” in this entire page. I think that Shakespeare guy said something apropos.

Clive Robinson March 4, 2021 4:45 PM

@ SpaceLifeForm,

Is there really a difference these days?

A good question. Back last century when having your own herd of bots was the pinnacle of achievement in the cracker world. The reason was simple nobody visable back then had worked out how to monetize their dubious skills…

Which kind of surprised me, “ego food” or “peer street cred” might be great when you are a teenager living off of mum and dad, but as a ywrnty something it’s not putting bread on the table. When I talked about this point I was not popular with others who had more of the public eye.

However I suspect that even back then the smarter criminals who had the knowledge of how to move money around out of sight and launder it sparkling bright were moving in on crackers in one way or another. The fact that it appears to many to be “Eastern Europe and Russia” where computer crime “is king” is more to do with the types of criminals and the politics of those regions. I suspect that there are just as many else where but that they are more experienced at staying off of the radar, as the political situation where they are is no where near as favourable.

But also crackers found their way into businesses some what more legitimately, Italy beong just one place, Israel another and so on. Again it’s the politics of the region / country that enabled them to be more visable. But we know through the likes of Cambridge Analytica that “crime” can be both very discreet, whilst well connected to “the establishment” in countries like the UK, where various types of “well connected” mercenaries are not that hard to find. Likewise the US where having a family member being a legislator is just one level of connection.

Sometimes the line between criminal and commerce is shall we say not where you would expect. Likreise commerce and politics. Thus I guess the answer to your question is,

“Not realy, it’s a matter of perception not actuality.”

name.withheld.for.obvious.reasons March 6, 2021 8:50 PM

The most plausible explanation so far, the build process was changed to map to one creation time for all files irrespective of their actual creation time. The same mtime is also given to system files. To me this seems counterintuitive when it comes to build analysis–especially when doing problem determination with respect to a distro version.

@ lurker
I’d hate to think that there is a coded or programmatic step to this process involving installation, macOS already consumes too many cycles in the upgrade or installation process to incur significant overhead in touching all the inodes, but that does mean that Apple didn’t take the approach. I’d argue that is indeed a really dumb idea–having the install process choose a fixed time for all the system files at install–what good does that do?

In my limited research the file system i-node timestamp issue the only other explanation I’ve been able to piece together is the use of a APFS feature enabled by the flag INODE_IS_APFS_PRIVATE. So far the underlying behavior is something to clarify, will return with more info as I dig.

SpaceLifeForm March 8, 2021 4:26 PM

@ lurker, name.withheld.for.obvious.reasons

The touch command

But why?

I agree it makes little sense. Except, if you want to catch post-install mods to files that should not be modified.

So, yes, that sounds like something Apple would do. Which means they are periodically checking timestamps against a base timestamp. Hidden somewhere.

In the olden daze, I always liked checking timestamps on the distributed binaries. You could discern a lot about their build process. The order of how the toolchain was built. The order the other userland tools were built.

name.withheld.for.obvious.reasons March 20, 2021 9:02 PM

To date there is little from Apple that describes why I-nodes all have the Jan 1 00:00:00 2020 timestamps. Updates to the OS do change the mod times but the creation time remains the same if it is modified. Just don’t understand how this is a logical change to systems behavior and make me think the build process is not being monitored that well. Limited information from Apple suggests that it is a benign change without any supporting rational. I see it as problematic and does leave on with a high level of confidence.

System directories that have been touched by updates are reflecting appropriate times along with binaries and data files that are replaced, but that’s it.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.