Mac users are a very special species. Often better earners (expensive equipment!), From more or less creative professions (the software!), And sometimes a little bit arrogant towards the Windows-using mob. The latter is also related to the fact that Windows users have to deal with problems such as virus scanners; Mac users have no use for such mundane things, at least they think. For decades it has been believed that there are practically no digital malware attacks on Apple products.

A find by cybersecurity companies Red Canary and Malwarebytes shows that this is now a misjudgment. Their analysts found unknown malware on almost 40,000 Apple computers, which they dubbed “Silver Sparrow”. Since then, experts and the Apple fan community have been puzzling over who is responsible for the program.

Advertisement

Around 1000 of the infections were also discovered in Germany. The spread worldwide is likely to be significantly higher than the known 40,000 infections, says security researcher Christian Funk, who heads the German research department of the IT security company Kaspersky. While almost all new Windows computers come with trial versions from Kaspersky, McAfee or Symantec, Apple products are virginal in this regard. It is understandable that Mac users do not even bother with one of the scanners that often pop up annoyingly on the screen, especially since most of the major viruses and worms are actually written for Windows.

The malware that has now been found causes some excitement, especially among the Apple experts among security researchers. Because some details are mysterious. The widespread use puzzles experts, because in order to install the software, users had to actively consent to the installation of files with the names “update.pkg” or “updater.pkg”. It is still unclear where these came from. The analysts from Malwarebytes suspect contaminated websites. But did 40,000 users really agree to the download and then think it would be a good idea to install the software that was accidentally downloaded from the Internet?

The program just says “Hello world”

A special feature of the software is also noticeable: At first glance it seems pointless and does not seem to have any harmful function at all. It does not steal passwords, does not encrypt data of its target, does not ask for a ransom to decrypt it, does not spy. She doesn’t even show annoying advertisements without asking. There is an executable file (in two versions), but it doesn’t do more than display a sentence: “Hello World” (a classic in programming history since the 70s) and “You did it” (German: You did it) . The fact that there are two versions is due to another anomaly that makes experts prick up their ears. One of the versions of the malware code was apparently written specifically for Apple’s new M1 processors. These have only been on the market since the end of last year. So the hackers are early.

Advertisement

So there is no malicious code, but the software sometimes comes to life. To do this, she radioed a control server once an hour to see whether she should reload software. Actually, says Christian Funk, it is therefore more of a “loader” than a virus or a Trojan. As an IT defender, he would still sound the alarm immediately, because the software is definitely dangerous. The “king of malware”, the Emotet Trojan, also proceeded in a similar manner. The actually harmful software was usually only reloaded when Emotet had already entered the system.

Another detail of the loader is also much discussed. If the software received a certain command during hourly contact with the control servers, it would be deleted and almost all traces of its existence – a self-destruct mechanism. All that remains is a file with a cryptic name. This so-called kill switch was apparently often used at Silver Sparrow. Of just over 40,000 infected machines, Malwarebytes’ scanner found only that file in 39,000 cases. So the developers of the smuggled software have noticed that IT security researchers were on their heels.

Apple responded by revoking the digital certificates the authors used to sign the software. This means that users can no longer install the files on their Macs from now on.

Advertisement

There is some speculation about the programmers of the malware. Was it state hackers who tried to smuggle their way into Macs through security holes and wanted to try out their arsenal? Probably not, say the SZ several security researchers. Thomas Reed, author of the Malwarebytes report, is pretty sure that it is the first stage of development of what is known as adware. Such malware hijack users’ browser traffic and click on advertising banners in the background. In this way they simulate human attention, which generates advertising revenue for the criminals. Kaspersky expert Funk also thinks this is likely.

Messages like “Hello World” and “You did it” indicate to Funk that it is probably experimental malware, a test balloon. With the excitement in which the experiment has put the Apple world, he now expects the experiment to be put on hold for the time being. Nevertheless, it was a success. The virus spread, the code worked. Apple users can expect more malware.

Advertisement