Find and Remove New Malware for MacOS Silver Sparrow
What is a Silver Sparrow? No, this is not a Game of Thrones character – has this ship already sailed? – but rather a new malware for macOS that runs on Intel and M1-based Macs. This makes it the second known malware for the latter, but there is a silver lining: Researchers found malware before it could actually harm your system.
As Tony Lambert of Red Canary writes:
“… the ultimate goal of this malware is a mystery. We have no way of knowing with certainty what payload the malware will spread, whether the payload has already been delivered and removed, or whether the attacker has a future distribution timeline. Based on data provided to us by Malwarebytes, nearly 30,000 affected hosts have yet to download what will be the next or last payload. “
Head over to the Red Canary Blog for more technical insights into the Silver Sparrow. If you’re wondering if you’ve been infected, chances are you haven’t and won’t go any further – Apple has suspended the developer certificates used to sign package files that trigger the infection, which means Mac users won’t be able to install if they use the default Mac security settings. (I didn’t find the malware listed, so I can’t verify if your Mac will warn you that it won’t install, or if it just marks it as a malicious app and prevents you from doing so.)
However, if you are concerned that you may have been infected, think about what you have been doing with your system lately. Have you been offered a website to download the software package and / or update? Was this something that you didn’t intend to download or install until the website prompted you to do so? Was the mentioned package file named something simple and boring, such as “update.pkg” or “updater.pkg?”
If so, then there is reason to suspect. While there is no real way to determine if a specified malware is present on your system based on the observed behavior – since it does nothing at the moment and it is unclear if it ever will – you can look for files that malware dumps into your system. Red Canary marks four files that suggest your system might be infected:
- ~ / Library /._ ins (empty file used for malware to remove itself)
- /tmp/agent.sh (shell script to execute for setup callback)
- /tmp/version.json (file downloaded from S3 to define the flow of execution)
- /tmp/version.plist (version.json converted to property list)
This long (and incredibly useful) post from Ars Technica commentator Edgey will help you find problematic files, confirm that they are problematic, and delete them. Since Malwarebytes worked with Red Canary on detection data for its analysis and published portion, chances are good that using the free version of this popular malware scanner / removal tool will suffice as well.
If the current version of the app does not find and uninstall Silver Sparrow, make sure you update its definitions and run regular scans. I expect the company to release an update soon that will cleanse macOS of this annoying but otherwise stagnant malware.