The virus has been detected on computers running Apple's new M1 chip. Photo / 123RF
The virus has been detected on computers running Apple's new M1 chip. Photo / 123RF
Tens of thousands of Mac computers have reportedly been infected with a "previously undetected strain of malware" according to security researchers.
The team at security operations provider Red Canary discovered the malware last week.
"We quickly realised that we were dealing with what appeared to be a previously undetected strain of malware," the company's intelligence analyst Tony Lambert said in a blog post.
According to MalwareBytes data, the installer that Red Canary has named "Silver Sparrow" had infected just under 30,000 computers as of last Wednesday, with "high volumes of detection" in the US, UK, Canada, France and Germany.
Tens of thousands of Mac computers have reportedly been infected with a "previously undetected strain of malware" according to security researchers.
The team at security operations provider Red Canary discovered the malware last week.
"We quickly realised that we were dealing with what appeared to be a previously undetected strain of malware," the company's intelligence analyst Tony Lambert said in a blog post.
Investigators discovered two versions of the malware, including one designed to run on Mac computers powered by the new M1 chips Apple recently introduced in some models, for which there were little to no known security vulnerabilities.
But one thing about the malware has left the investigators stumped: It doesn't appear to do anything, yet.
A version compiled for older Intel Macs delivers a message simply saying "Hello world!", while one for M1 Macs tells victims "You did it!", messages that "could indicate the threat is under development in a proof-of-concept stage or that the adversary just needed an application bundle to make the package look legitimate".
A message appearing on infected M1 Macs. Photo / Jimmy Astle/Red Canary
"Though we haven't observed Silver Sparrow delivering additional malicious payloads yet, its forward-looking M1 chip compatibility, global reach, relatively high infection rate, and operational maturity suggest Silver Sparrow is a reasonably serious threat, uniquely positioned to deliver a potentially impactful payload at a moment's notice," Lambert warned.
It gets worse.
Like a bulky proportion of the world's websites, Silver Sparrow connects to a server run by the cloud-market dominating Amazon Web Services (AWS).
Lambert notes that AWS "offers a highly available and resilient file distribution method", allowing the attackers to serve out files and operate without worrying about additional network administration or overheads, as well as giving them a way to hide.
Lambert also said the person or persons behind Silver Sparrow "likely understands the cloud infrastructure and its benefits over a single server or non-resilient system" and "likely understands this hosting choice allows them to blend in with the normal overhead of cloud infrastructure traffic".
"Most organisations cannot afford to block access to resources in AWS … the decision to use AWS infrastructure further supports our assessment that this is an operationally mature adversary," Lambert warned.
