Researchers find M1-compatible malware on nearly 30,000 Macs

Researchers have found a malware variant compatible with that architecture on nearly 30,000 Macs running the new M1 chipset. It’s not M1’s first custom malware in the wild, but it’s notable that it doesn’t have a payload yet.

The researchers told Ars Technica that the malware keeps in touch with command & control servers hosted by Amazon and Akamai, making them difficult to block. It is also unknown what exactly the starting signal for the malware is. Now, anyone running the malware’s binaries themselves will only be greeted with the messages “Hello World!” and ‘You did it!’. It is also notable that the malware has a self-destruct mechanism, so that it does not leave any redundant traces after deploying the payload.

What is already clear is that the malware is quite contagious. The Red Canary researchers argue that this is partly because there is also compatibility for x86_x64 processors, which older Macs run on. Ars Technica calls the nearly 30,000 infections discovered “impressive.” The infections are mainly concentrated in Western Europe. MalwareBytes also notes that the actual number of infections is likely to be much higher, as they haven’t been able to detect them all.

The researchers speculate that the malware may spread through rogue search results and pretend to be a legitimate app. They think so because after successful installation, the malware requests the URL where the installer originally came from.

The researchers, who come from Red Canary and MalwareBytes, argue that the information should be shared with the infosec community, despite the malware currently not doing anything. The malware, which they call Silver Sparrow, could receive a very malicious payload in the future. The report also explains how Mac users can investigate whether the malware is present on their system.