What is Silver Sparrow? No meit is no Game of Thrones character – did that ship sail? – but rather a new piece of macOS malware that runs on both Intel and M1-based Macs. That makes it the second known malware to the latter, but there’s a silver lining: researchers found the malicious software before it hathat chance to actually hturn on your system.
Like Red Canary’s Tony Lambert writes:
“… the ultimate goal of this malware is a mystery. We cannot know for sure which payload is being distributed by the malware, whether a payload has already been delivered and removed, or whether the opponent has a future timeline for distribution. Based on data Malwarebytes shared with us, the nearly 30,000 affected hosts failed to download what would be the next or final payload. “
Click on to Red Canary’s blog if you want to see the technical details of Silver Sparrow. If you are curious if you are infected, chances are you haven’t and you won’t be in the future – Apple will have the developer certificates used to sign the package files that start the infection, which means Mac users will cannot install it if they use the Mac’s default security settings. (I did not find the said malware so I cannot verify if your Mac does warn you about not installing it, or just Mark it as a malicious app and forbid you to do so
However, if you are concerned that you may be infected, think about what you have been doing with your system lately. You were asked by a website for a software package and / or update? Was it something you didn’t want to download or install until a website suggested you should? Is the package file called something simple and boring, such as “update.pkg” or “updater.pkg?”
G / O Media can receive a commission
If, a little mistrust is warrantedtedWhile there is no real way to detect based on observable behavior whether said malware is on your system as it currently does nothing and it is unclear if it ever will – you can look for files that the malware drops onto your system. Red Canary Notes four files suggesting that your system may be infected:
- ~ / Library /._ins (empty file used to signal malware to remove itself)
- /tmp/agent.sh (shell script executed for installation callback)
- /tmp/version.json (file downloaded from S3 to determine the execution flow)
- /tmp/version.plist (version.json converted to a property list)
T.his long (and incredibly useful) article from Ars Technica commenter effgee helps you find the offending files, confirms that they are problematic and deletes them. Since Malwarebytes worked with Red Canary on detection data in front of the analysis and the piece published, chances are it will use the free version from that popular anti-malware scanner / remover should also suffice.
If the current version of the app cannot find and remove Silver Sparrow, make sure to keep the definitions up to date – and that you perform regular scans. I expect it will not be long Company issues an update that scrubs macOS clean of this annoying, but otherwise stagnant malware.