Silver Sparrow: What is it and How to remove it

Categories: Security

Mike Lane – DASNR IT
February 24, 2021

What is Silver Sparrow?

In February researchers at Red Canary announced that a “new” macOS malware strain had been discovered, naming it “Silver Sparrow”. As of February 17th, the malware had been detected in over 29,000 macOS devices across 153 countries; a majority of the infections reside in the US, UK, Canada, France and Germany.

Researchers from VMware, Carbon Black and Malwarebytes found that Silver Sparrow has one interesting characteristic: it has no payload which would be the resulting action from an infection. However, this does not rule out a future attack as there appears to be “repeated hourly updates”. Red Canary’s Tony Lambert writes:

“…the ultimate goal of this malware is a mystery. We have no way of knowing with certainty what payload would be distributed by the malware, if a payload has already been delivered and removed, or if the adversary has a future timeline for distribution. Based on data shared with us by Malwarebytes, the nearly 30,000 affected hosts have not downloaded what would be the next or final payload.”

Currently Apple is in the process of “Eradicating” the new strain; details are forthcoming.

Two versions of Silver Sparrow have been discovered: one version consists of a binary affecting Intel based Macs only and a second version affects both Intel and M1 architectures.

How to remove Silver Sparrow?

Here are some questions to help determine “if” your Mac has been infected:

  • Were you prompted by a website to download a software package and/or update?
  • Was this something that you had no intention of downloading/installing until you were prompted to do so from a website?
  • Was the file named something similar to “update.pkg” or “updater.pkg”?

If you answered “yes” to any of the above questions, some suspicion is justified. While there are no current outward signs of infection based upon observable behavior, Silver Sparrow is known to place certain files on the Mac system. Red Canary notes that four files are a tale-tell sign that your system may be infected:

  • ~/Library/._insu (empty file used to signal the malware to delete itself)
  • /tmp/agent.sh (shell script executed for installation callback)
  • /tmp/version.json
  • /tmp/version.plist

MalwareBytes can find and clean Silver Sparrow. If you are interested in installing or having MalwareBytes installed to your university-owned computer, please contact your departmental IT Specialist, a member of DASNR Information Technology, or the IT Helpdesk. Below are additional resources you may find beneficial:
* https://appleinsider.com/articles/21/02/20/more-malware-found-to-target-apple-silicon-macs
* https://appleinsider.com/articles/21/02/17/first-apple-silicon-m1-malware-discovered-in-the-wild
* https://appleinsider.com/articles/21/02/22/apple-has-taken-steps-to-eradicate-mysterious-malware-strain
* https://redcanary.com/blog/clipping-silver-sparrows-wings/
* https://lifehacker.com/find-and-remove-the-new-silver-sparrow-macos-malware-1846324908
* https://www.macobserver.com/news/how-find-silver-sparrow/
* https://blog.malwarebytes.com/mac/2021/02/the-mystery-of-the-silver-sparrow-mac-malware/

Written by: , DASNR IT

Leave a Reply

Your email address will not be published. Required fields are marked *