What is Silver Sparrow? Not meit’s not a War of Thrones character – has that ship ever sailed? – but yes a new macOS piece malware running on Intel and M1-based Macs. This makes it the second known piece of malware for the last, but there is a silver lining: researchers have found that the malicious software before that hathe chance to actually harm your system.
Like Red Canary’s Tony Lambert he writes:
“… the ultimate goal of this malware is a mystery. We have no way of knowing with certainty what payload would be distributed by the malware, if a payload has already been delivered and removed or if the adversary has a future schedule for distribution. Based on the data shared with us by Malwarebytes, the nearly 30,000 affected hosts did not download what would be the next or last payload. “
Click on the Red Canary blog if you want to get into the essential technical details of Silver Sparrow. If you are curious to know if you have been infected, you probably have not been, and will not be going forward – Apple has suspended the developer certificates used to sign the package files that initiate the infection, which means that Mac users will you won’t be able to install it if you’re using the Mac’s default security settings. (I didn’t find the malware, so I can’t verify that your Mac will warn about not installing it, or simply mark it as a malicious application and forbid you to do that.)
However, if you are concerned about the possibility of being infected, think about what you have done with your system recently. It was asked by a website to download a software package and / or update? That’s it something you didn’t intend to download or install until a website suggested that you should? Did that package file have a simple and boring name, like “update.pkg” or “updater.pkg?”
G / O Media can receive a commission
If then, a little suspicion is guaranteedted. Although there is no real way to detect whether malware is on your system based on observable behavior, as it is not doing anything at the moment and it is unclear whether it will ever will – you can go hunting for files that malware installs on your system. Red Canary Notes four files that suggest that your system may be infected:
- ~ / Library /._ insu (empty file used to signal that malware should be excluded)
- /tmp/agent.sh (shell script executed for installation callback)
- /tmp/version.json (file downloaded from S3 to determine the flow of execution)
- /tmp/version.plist (version.json converted to a list of properties)
This long (and incredibly useful) article from Ars Technica commenter effgee will help you find the offending files, confirm that they are problematic and remove them. From Malwarebytes worked with Red Canary detection data for your analysis and published article, chances are good that using the free version for this the popular anti-malware scanner / remover should also be sufficient.
If the current version of the application does not find and remove Silver Sparrow, be sure to keep your definitions up to date – and that you are running regular scans. I I expect it won’t be long the company questions an update that cleans macOS clean from this nuisance, but otherwise stagnant malware.