According to researchers, as of mid-February, Silver Sparrow malware has affected almost 30,000 macOS across 153 countries.
In early February, cybersecurity researchers at Red Canary discovered a new malware on macOS. They call it the “Silver Sparrow.”
In Silver Sparrow’s case, as of mid-February, this malware has affected almost 30,000 macOS across 153 countries.
There are two different types of this malware. The defining difference between the two versions is that one contained a Mach-O binary compiled for Intel x86_64 architecture only, and the other contained a Mach-O binary compiled for both, the Intel and M1 ARM64 architectures.
Moreover, Silver Sparrow malware also includes a self-destruct feature; however, there are no signs of this feature being utilized making the purpose of this mechanism unknown.
What makes Silver Sparrow malware uniquely interesting is the lack of a final payload. (A payload refers to the part of the malware that causes the malicious action).
Researchers have not, as of yet, discovered the harm that this malware brings to the system. This makes the true intent of this malware a complete mystery.
“Though we haven’t observed Silver Sparrow delivering additional malicious payloads yet, its forward-looking M1 chip compatibility, global reach, relatively high infection rate, and operational maturity suggest Silver Sparrow is a reasonably serious threat, uniquely positioned to deliver a potentially impactful payload at a moment’s notice,” Red Canary researchers mentioned in a blog post.
While researchers have only discovered Silver Sparrow malware on a significant number of 29,139 macOS endpoints, they believe that the number is probably even higher since these are only the endpoints that Malwarebytes can see.
Engineers at Red Sparrow have provided a descriptive set of analytics that can allow users to detect this malware on their systems.
- Look for a process that appears to be PlistBuddy executing in conjunction with a command-line containing the following: LaunchAgents and RunAtLoad and true. This analytic helps us find multiple macOS malware families establishing LaunchAgent persistence.
- Look for a process that appears to be sqlite3 executing in conjunction with a
command line that contains: LSQuarantine. This analytic helps us find multiple macOS malware families manipulating or searching metadata for downloaded files.
- Look for a process that appears to curl executing in conjunction with a command line that contains: s3.amazonaws.com. This analytic helps us find multiple macOS malware families using S3 buckets for distribution.
In addition to this, users can protect their devices with the use of free software from companies such as Malwarebytes, which scans their systems and isolates any malicious code it finds from the rest of the computer.