Silver Sparrow: What is it and How to remove it

Mike Lane – DASNR IT
February 24, 2021

What is Silver Sparrow?

In February researchers at Red Canary announced that a “new” macOS malware strain had been discovered, naming it “Silver Sparrow”. As of February 17th, the malware had been detected in over 29,000 macOS devices across 153 countries; a majority of the infections reside in the US, UK, Canada, France and Germany.

Researchers from VMware, Carbon Black and Malwarebytes found that Silver Sparrow has one interesting characteristic: it has no payload which would be the resulting action from an infection. However, this does not rule out a future attack as there appears to be “repeated hourly updates”. Red Canary’s Tony Lambert writes:

“…the ultimate goal of this malware is a mystery. We have no way of knowing with certainty what payload would be distributed by the malware, if a payload has already been delivered and removed, or if the adversary has a future timeline for distribution. Based on data shared with us by Malwarebytes, the nearly 30,000 affected hosts have not downloaded what would be the next or final payload.”

Currently Apple is in the process of “Eradicating” the new strain; details are forthcoming.

Two versions of Silver Sparrow have been discovered: one version consists of a binary affecting Intel based Macs only and a second version affects both Intel and M1 architectures.

How to remove Silver Sparrow?

Here are some questions to help determine “if” your Mac has been infected:

  • Were you prompted by a website to download a software package and/or update?
  • Was this something that you had no intention of downloading/installing until you were prompted to do so from a website?
  • Was the file named something similar to “update.pkg” or “updater.pkg”?

If you answered “yes” to any of the above questions, some suspicion is justified. While there are no current outward signs of infection based upon observable behavior, Silver Sparrow is known to place certain files on the Mac system. Red Canary notes that four files are a tale-tell sign that your system may be infected:

  • ~/Library/._insu (empty file used to signal the malware to delete itself)
  • /tmp/agent.sh (shell script executed for installation callback)
  • /tmp/version.json
  • /tmp/version.plist

MalwareBytes can find and clean Silver Sparrow. If you are interested in installing or having MalwareBytes installed to your university-owned computer, please contact your departmental IT Specialist, a member of DASNR Information Technology, or the IT Helpdesk. Below are additional resources you may find beneficial:
* https://appleinsider.com/articles/21/02/20/more-malware-found-to-target-apple-silicon-macs
* https://appleinsider.com/articles/21/02/17/first-apple-silicon-m1-malware-discovered-in-the-wild
* https://appleinsider.com/articles/21/02/22/apple-has-taken-steps-to-eradicate-mysterious-malware-strain
* https://redcanary.com/blog/clipping-silver-sparrows-wings/
* https://lifehacker.com/find-and-remove-the-new-silver-sparrow-macos-malware-1846324908
* https://www.macobserver.com/news/how-find-silver-sparrow/
* https://blog.malwarebytes.com/mac/2021/02/the-mystery-of-the-silver-sparrow-mac-malware/

Zoom Security: Updates

When you are hosting a Zoom meeting, security is essential to the success of your meeting. Zoom has become one of the most popular online conferencing tools in use today. Along with the rise in popularity, comes an increase in security risks. One of the biggest problems currently is Zoom-Bombing which is when a group of people tries to take over or disrupt a current Zoom session. In an effort to combat these security risks, Zoom has updated and added additional security features. For additional information, see our Zoom security best practices guide.

Zoom Security menu

An image of the Zoom Security menu from the Zoom client.

Zoom has expanded the former security menu to include additional items. You have control over every aspect of what participants can do when they are in your Zoom session. If you need some to Share Screen or Unmute themselves without giving that feature to all participants, simply promote them to a cohost in the Participants menu. Also, if your meeting is breached or participants become unruly, use the Suspend Participant Activities option in the Security menu. This will remove all options from this list and promptly mute everyone and turn off their cameras. Once this has been selected, only the host or co-hosts can unmute themselves and turn on their video.

Removing Participants

Image of the Remove Participant menu from the Zoom client.

From the Zoom Security menu, you can remove participants. When you click the Remove Participant option from the security menu, you will see the window shown above. From this list of participants, you can click remove on individual participants. Note – be sure to lock the meeting before removing any participants or they may be able to rejoin.

Reporting Participants

Image of the Participant menu in Zoom showing the options for an individual user.

Zoom has also created a reporting option for unruly or unwanted guests. This service allows you to report a user including video or screenshots of their bad activity. When submitted, the information will be sent to a review and if deemed unacceptable the user will be blocked from using Zoom in the future. This should only be used in cases where the user is intentionally disrupting Zoom sessions.