There’s a new malware threat specifically targeting Macs. It’s called Silver Sparrow . Details are still relatively scarce but here’s what we know currently:
- It was discovered by Red Canary (a cybersecurity provider based out of Denver, CO) and analyzed by them, Malwarebytes and VMWare Carbon Black.
- It’s infected about 30,000 Macs across 153 countries as of last week. Most of which are in the US, UK, Canada, France and Germany.
- Researches don’t know how the malware is circulating yet. Could be through malicious ads. Might be through phony Flash updates.
- Once installed, the malware…sits around and waits for a command from its operator. As of yet, it hasn’t been activated so researchers are at a loss regarding what it actually does. It received ZERO commands while it was being observed.
- Just because it didn’t do anything while it was being examined, it doesn’t mean this is a failed malware strain. It could be whoever released it into the wild is just waiting for the moment to strike.
- The malware is coded with M1 (Apple’s new in house chipset) support.
How do you detect Silver Sparrow?
According to Red Canary you should:
- Look for a process that appears to be
PlistBuddy
executing in conjunction with a command line containing the following:LaunchAgents
andRunAtLoad
andtrue
. This analytic helps us find multiple macOS malware families establishing LaunchAgent persistence. - Look for a process that appears to be
sqlite3
executing in conjunction with a
command line that contains:LSQuarantine
. This analytic helps us find multiple macOS malware families manipulating or searching metadata for downloaded files. - Look for a process that appears to be
curl
executing in conjunction with a command line that contains:s3.amazonaws.com
. This analytic helps us find multiple macOS malware families using S3 buckets for distribution.
Has Apple done anything to stop Silver Sparrow infections?
According to AppleInsider.com, yes! Apple is reported to have revoked the certificates used by the Malware’s creators to sign the installation packages, basically freezing them in their tracks. (READ HERE)
There’s also a possibility of future software updates to alleviate/eliminate any problems that may rise up in the future.
Like our blog? Subscribe using the CTA in the upper right-hand corner of this page. Feel like sharing your thoughts with us? Use the comment section below.