Silver Sparrow

A new macOS malware known as Silver Sparrow has silently infected almost 30,000 Mac devices with malware whose purpose is a mystery.

In a collaboration between Red Canary, Malwarebytes, and VMware Carbon Black, researchers have found a new Mac malware that exhibits unusual properties, including a component explicitly compiled for the new Apple M1 chip.

According to Malwarebytes, this malware has infected 29,139 Mac devices across 153 countries, with high volumes in the United States, the United Kingdom, Canada, France, and Germany.

Not your typical adware

While Apple has always prided itself over macOS’ security, the reality is that the operating system is increasingly targeted by malware, ransomware, and adware.

In a new report by RedCanary, researchers reveal a new malware targeting Mac devices that is unlike most infections developed for the operating system.

Named Silver Sparrow, the malware has been seen distributed as two different files named ‘updater.pkg’ [VirusTotal] or ‘update.pkg’ [VirusTotal]. The only difference seen by Red Canary is that the update.pkg includes both an Intel x86_64 and an Apple M1 binary, while the updater.pkg only includes the Intel executable.

Silver Sparrow executable
Silver Sparrow executable

Unlike most macOS adware which uses ‘preinstall’ and ‘postinstall’ scripts to execute commands or install further malware, Silver Sparrow utilizes JavaScript to execute its commands. The use of JavaScript produces different telemetry that makes it harder to detect malicious activity based on command line arguments.

Using JavaScript, SilverSparrow will create shell scripts executed by the malware to communicate with the command and control servers and create LaunchAgent Plist XML files to execute shell scripts periodically.

Creating the malicious shell scripts and LaunchAgent
Creating the malicious shell scripts and LaunchAgent

The LaunchAgent will connect to the threat actor’s command and control server every hour to check for new commands that the malware will execute.

While running, the malware will check for the presence of the ~/Library/._insu file, and if found, will remove itself and all associated files. The researchers have not been able to determine what triggers this kill switch.

Malware’s purpose is a mystery

After observing the malware for a week, Red Canary researchers could not see further payloads downloaded and triggered by these hourly checks. Thus the malware’s real purpose remains a mystery.

“In addition, the ultimate goal of this malware is a mystery. We have no way of knowing with certainty what payload would be distributed by the malware, if a payload has already been delivered and removed, or if the adversary has a future timeline for distribution,” explains Red Canary’s report.

The Intel and Mach-O binaries included with Silver Sparrow seem to be placeholders for an in-development malware as executing them only displays a screen stating ‘Hello World’ or ‘You did it!,’ as shown below.

The screen shown after running included binary
The screen shown after running included binary

Unfortunately, Silver Sparrow’s distribution also remains a mystery at this time.

“Other than the fact that it gets installed via an installer .pkg file, we have no idea. We don’t know how users would have initially found that installer. In fact, I’m a bit skeptical that it may even still be in distribution, in this form, at least,” Malwarebytes’ Thomas Reed told BleepingComputer

How to check for the Silver Sparrow malware

If you use Malwarebytes for Mac, the program was updated over a week ago to detect if the Silver Sparrow malware is installed.

For those who do not use Malwarebytes or would like to check for the malware’s presence manually, you can use the following checklist provided by Red Canary.

  • Look for a process that appears to be PlistBuddy executing in conjunction with a command-line containing the following: LaunchAgents and RunAtLoad and true. This analytic helps us find multiple macOS malware families establishing LaunchAgent persistence.
  • Look for a process that appears to be sqlite3 executing in conjunction with a command line that contains: LSQuarantine. This analytic helps us find multiple macOS malware families manipulating or searching metadata for downloaded files.
  • Look for a process that appears to be curl executing in conjunction with a command-line that contains: This analytic helps us find multiple macOS malware families using S3 buckets for distribution.

To perform these steps, you can use the following commands from Terminal:

ps -aex | grep -i buddy
ps -aex | grep -i curl | grep -i amazon
ps -aex | grep -i sqlite3 | grep -i LSQuarantine

If there are processes listed in the output, not including the ones above, you should immediately scan your device for malware and inspect it for further compromise.