Researchers have found a malware variant compatible with that architecture on nearly 30,000 Macs with the new M1 chipset. It is not the first malware tailored for M1 in the wild, but it is striking that it does not yet have a payload .
The researchers tell Ars Technica that the malware keeps in touch with command & control servers hosted at Amazon and Akamai, making them difficult to block. It is also not known exactly what the starting signal for the malware is.
Those who now run the malware ‘s binaries themselves will only be greeted with the messages “Hello World!” and ‘You did it!’. It is also striking that the malware has a self-destruct mechanism, so that it does not leave any redundant traces after deploying the payload.
What is already clear is that the malware is quite contagious. The researchers at Red Canary state that this is partly because there is also compatibility for x86_x64 processors, which older Macs run on. Ars Technica calls the nearly 30,000 infections discovered ‘impressive’.
The infections are mainly concentrated in Western Europe. MalwareBytes also notes that the actual amount of infections is likely to be much higher, as they have not been able to detect all of them.
The researchers speculate that the malware may be spreading through rogue search results and masquerading as a legitimate app. They think so because after successful installation, the malware requests the url where the installer originally came from.
The researchers, who come from Red Canary and MalwareBytes, state that the information should be shared with the infosec community, despite the malware currently not doing anything. The malware, which they call Silver Sparrow, could get a very harmful payload in the future. The report also details how to investigate whether the malware is present on their system.