A mysterious new virus detected by researchers last week could be a ticking time bomb for the thousands already infected.
Tens of thousands of Mac computers have reportedly been infected with a “previously undetected strain of malware” according to security researchers.
The team at security operations provider Red Canary discovered the malware last week.
“We quickly realised that we were dealing with what appeared to be a previously undetected strain of malware,” the company’s intelligence analyst Tony Lambert said in a blog post.
According to MalwareBytes data, the installer that Red Canary has named “Silver Sparrow” had infected just under 30,000 computers as of last Wednesday, with “high volumes of detection” in the US, UK, Canada, France and Germany.
RELATED: Bonkers seven screen laptop idea
Investigators discovered two versions of the malware, including one designed to run on Mac computers powered by the new M1 chips Apple recently introduced in some models, for which there were little to no known security vulnerabilities.
But one thing about the malware has left the investigators stumped: It doesn’t appear to do anything, yet.
A version compiled for older Intel Macs delivers a message simply saying “Hello world!”, while one for M1 Macs tells victims “You did it!”, messages that “could indicate the threat is under development in a proof-of-concept stage or that the adversary just needed an application bundle to make the package look legitimate”.
RELATED: Icon disappearing from stores
RELATED: Updated Apple laptops ‘won’t boot’
“Though we haven’t observed Silver Sparrow delivering additional malicious payloads yet, its forward-looking M1 chip compatibility, global reach, relatively high infection rate, and operational maturity suggest Silver Sparrow is a reasonably serious threat, uniquely positioned to deliver a potentially impactful payload at a moment’s notice,” Mr Lambert warned.
It gets worse.
Like a bulky proportion of the world’s websites, Silver Sparrow connects to a server run by the cloud-market dominating Amazon Web Services (AWS).
Mr Lambert notes that AWS “offers a highly available and resilient file distribution method”, allowing the attackers to serve out files and operate without worrying about additional network administration or overheads, as well as giving them a way to hide.
Mr Lambert also said the person or persons behind Silver Sparrow “likely understands the cloud infrastructure and its benefits over a single server or non-resilient system” and “likely understands this hosting choice allows them to blend in with the normal overhead of cloud infrastructure traffic”.
“Most organisations cannot afford to block access to resources in AWS … the decision to use AWS infrastructure further supports our assessment that this is an operationally mature adversary,” Mr Lambert warned.
Domains were also traced back to a content delivery network operator called Akamai.
Mr Lambert said the virus, and its lack of a payload, present “mysteries on mysteries”, most intriguingly: What it’s supposed to do.
“The ultimate goal of this malware is a mystery,” Mr Lambert said.
“We have no way of knowing with certainty what payload would be distributed by the malware, if a payload has already been delivered and removed, or if the adversary has a future timeline for distribution.”
Red Canary doesn’t know for sure, but believes the virus first emerged in August last year, with another version infecting M1 Macs circulating since December.
The company is not certain of the distribution method, but suspects “malicious search engine results” tricked users into downloading the installer.