Some 30,000 MacOS devices running on the M1 processor were invaded and abandoned inexplicably, leaving cyber researchers baffled.

Apple’s new M1 processor has sent chills down the halls of Intel’s research and marketing divisions—but a new malware is in turn causing a fever in the cybersecurity sector.

The Silver Sparrow malware targets only Macs running on the new processor, does not contain any payload, and even self-destructs. It has been mostly found in 153 countries (Asia is not listed yet) and even uses Amazon Web Services and Akamai content delivery networks for reliable execution!

Although an adware from a long-running Pirrit family had beaten Silver Sparrow to become the first M1-specific malware, the latter can claim to be the first to have cyber researchers stumped.

What malware infects systems specifically for the existence of a particular processor, without any purpose other than to say “You did it!” in its readable code? Many developers of legitimate macOS apps have still not finished compiling their code for the new M1 chip that only launched last November.

No need to know the motive

Could it be just a proof of concept by some hackers out for fame and mindshare? Or the beginning of some anti-Apple espionage by competitors or state-sponsored actors?

One educated comment we received was from Tim Mackey, Principal Security Strategist, Synopsys Software Integrity Group. He said cybercriminals define the rules of their attacks, and it is up to us to defend against their tactics, even when those tactics are not completely clear.

“That’s the situation with Silver Sparrow. At present, it doesn’t appear to do too terribly much, but it can provide insights into tactics that we should be defending against. Chief amongst them is the use of AWS S3 buckets as well as use the Akamai CDNs, but there is nothing to say that other cloud-based file services couldn’t also be used. This of course presents a challenge for IT teams as it’s unlikely that unconditionally blocking AWS or Akamai would lead to happy employees.”

Nowadays most modern applications use application programming interfaces and cloud services at some point in their lifecycle. Knowing which APIs and cloud services endpoints represent legitimate accesses helps immensely when mitigating data leakage from within an organization, Mackey said. “The trick in this context is to understand what normal activity looks like for the applications powering your business. So, while the intention of Silver Sparrow remains a bit of a mystery, its current profile can help IT teams build out a threat model for it and protect against future variants or payloads.”