What is Silver Sparrow? No it is not a Game of Thrones character – did that ship sail? – but rather a new piece of macOS wanware running on both Intel and M1-based Macs. This makes it the second piece of known malware for the latter, but there is a silver lining: researchers discover the malicious software for this hathen chance actually harm your system.
Like Red Canary’s Tony Lambert write:
‘… the ultimate purpose of this malware is a mystery. We have no way of knowing with certainty what payload would be distributed by the malware, if a payload has already been delivered and removed, or if the adversary has a future timeline for distribution. Based on data shared by Malwarebytes with us, the nearly 30,000 hosts who did not get offloaded the next or last payload. ”
Click on the Red Canary page if you want to know the technical details of Silver Sparrow. If you are curious or infected, chances are you did not either. forward – Apple has the developer certificates is used to sign the package files that start the infection, which means Mac users will do so can not install it if they use the default security settings of the Mac. (I did not find the malware mentioned, so I can not verify that your Mac will do this warn you are not going to install it, or simple mark it as a malicious app and forbid you to do so.)
However, if you are concerned that you are infected, then think about what you have been doing with your system lately. Have you been asked by a website to provide a software package and / or update? Was it something you did not intend to download or install to a website suggested you do this? Is the package file called something simple and dull, like “update.pkg” or “updater.pkg?”
G / O Media can get a commission
If so, a little suspicion has been warnedtsave. Although there is no real way to detect if the malware on your system is based on observable behavior as it does nothing at the moment and it is unclear want – you can go search for files that drop the malware on your system. Red Canary notes four files that suggest your system may be infected:
- ~ / Library /._ insu (empty file is used to indicate the malware to remove itself)
- /tmp/agent.sh (shell script run for callback installation)
- /tmp/version.json (file downloaded from S3 to determine output flow)
- /tmp/version.plist (version.json converted to a property list)
This long (and incredibly helpful) writing from Ars Technica commentator effgee will help you to find the corrupted files, confirm that they are problematic and delete them. Since Malwarebytes worked with Red Canary about tracking data for his analysis and published piece, chances are good that it will be used the free version of which popular anti-malware scanner / remover should also suffice.
If the current version of the Silver Sparrow app is not found and removed, you need to keep its definitions – and it you do regular scans. I expect it will not take long the company issues an update that scrubs MacOS clean of this troublesome but otherwise stagnant wanware.