Silver Sparrow: New Mac Malware Silently Infects Users for Mysterious Purpose

Cybersecurity analysts have detected a sophisticated malware sample that attacks Apple users in the wild. The joint research from Red Canary, Malwarebytes, and VMWare Carbon Black details that approximately 30,000 hosts across 153 countries have been compromised by the new threat dubbed Silver Sparrow. The topmost infection rates were spotted in the United States, Canada, France, the United Kingdom, and Germany.

Currently, the Silver Sparrow’s delivery methods remain unknown, and what is even more interesting, the final goal of the malicious activity is still undetermined. However, security professionals point to the sophistication of the new threat due to its ability to target new Apple M1 chips, novel evasion tactics, and unusual malicious behavior.

Silver Sparrow Description

As for February 2021, security analysts uncovered two existing variants of Silver Sparrow delivered under updater.pkg and updater.pkg file names. Both strains are similar in functionality, the only distinction is that updater.pkg contains a Mach-O binary supporting both Intel x86_64 and M1 ARM64 architectures, while updater.pkg supports Intel x86_64 architecture exclusively.

Opposite to most existing Mac malicious software samples that rely on reinstall or post-install scripts to execute commands, Silver Sparrow abuse legitimate macOS Installer JavaScript API for this purpose. It is a noticeable novelty allowing the threat to evade detection since such an approach produces different telemetry and misleads researchers while analyzing malicious activity.

Upon infection, Silver Sparrow relies on JavaScript functions to produce shell scripts and connect to the operator’s command-and-control (C&C) server. Then, the malware creates LaunchAgent Plist XML files to repeatedly launch these scripts while waiting for the new commands from its maintainers. However, the samples inspected by experts never received any instructions. Although it may be a sign of a faulty strain, experts assume that Silver Sparrow can detect the analysis, so it doesn’t push any second-stage executables to the hosts under the research.

Apart from the final goal puzzle, Silver Sparrow performs an unusual file check. Particularly, the malware checks for the ~/Library/._insu presence on disk, and if identified, Silver Sparrow deletes all its files from the system. The purpose of this check currently remains unknown.

Another indication of Silver Sparrow’s sophistication is the fact that it is compatible with macOS systems running Apple’s latest M1 chip. It is the second threat ever detected to support M1 ARM64 architectures. Such an innovation significantly complicates the static analysis and lowers the detection rate for this malicious strain by antivirus solutions.

Silver Sparrow Detection 

On February 22, 2021, Apple revoked the certificates leveraged by Silver Sparrow creators to sign the installation packages. This way the vendor protects its users from further malware propagation and blocks any new infections.

To detect the possible malicious activity related to Silver Sparrow malware, download an exclusive Sigma rule by SOC Prime Team from Threat Detection Marketplace: https://tdm.socprime.com/tdm/info/abqGAiP8fz3K/fVpgzncBTwmKwLA9K4Q1/#rule-source-code

The rule has translations to the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, LogPoint, Humio, RSA NetWitness, FireEye Helix

EDR: Carbon Black

MITRE ATT&CK:

Tactics: Execution

Techniques: Command-Line Interface (T1059)

Unless you don’t have a paid access to the Threat Detection Marketplace, this exclusive Sigma rule can be unlocked by activating your free trial under a community subscription.

Sign up to Threat Detection Marketplace to reach an industry-leading SOC library containing 95,000+ detection rules, parsers, search queries, and other content mapped to CVE and MITRE ATT&CK® frameworks. The content base enriches every day with the joint efforts of our international community of 300+ security performers. Want to become a part of our threat hunting initiatives?  Join Threat Bounty Program!