The new malware Silver Sparrow, found on nearly 30,000 Mac computers worldwide, has caught the attention of security experts. There are several reasons. First, the malware comes in two binaries, one for the M1 processor. Second, researchers cannot understand the purpose of the attackers.

Once an hour, infected computers check the control server for new commands or binaries to execute.

But so far, no payload has been delivered to any of the 30,000 infected machines. The absence of a payload suggests that malware can take action as soon as an unknown condition is met.

Curiously, the malware comes with a complete removal mechanism that is commonly used in professional intelligence operations. However, there are still no signs of using the self-destruct function, which raises the question of why this mechanism is needed.

In addition to these issues, the malware is notable for the presence of a binary for the M1 chip, which was introduced in November 2020. This is just the second known macOS malware for M1. The binary is even more cryptic because it uses the macOS installer JavaScript API to execute commands.

One of the most impressive things about Silver Sparrow is the number of Macs it infects. Colleagues at Malwarebytes found Silver Sparrow installed on 29,139 macOS endpoints as of February 17, 2021. This is a significant achievement.

And these are only computers available for MalwareBytes antivirus, so the real number is much higher.

Real number is from 100k up to 500k.

Rumors in the industry are that small number of viruses for MacOS also is due to Apple specially sponsoring virus toolkits authors so they can do more for Windows and not make their tools available for MacOS. Apple do not control lot of virus authors, but controls authors of core tools and owners of communities (so they can kill and social activity and prevent groups forming).