Silver Sparrow: the silent malware that infects Macs

With the introduction of the new Macs with the M1 processor , Apple has ushered in a new generation of processors. As we know, what has generated curiosity on the part of the global computer community to the point of intriguing even the malevolent part of the community .

From the depths of the internet, a new malware has emerged that apparently manages to sneak into the new architecture. We are talking about Silver Sparrow, the new malware that also intimidates Macs with Apple Silicon architecture .

Usually the biggest threat to a Mac is represented by Adware, malicious mini software that hijacks the user's web browsing by automatically directing him to malicious URLs, regardless of what the user is looking for. Fortunately, they sneak into superficial parts of the system and it is possible to eradicate them through specific software such as MalwareBytes.

Unlike classic Adware, Silver Sparrow is much more refined as it sneaks and acts silently in MacOS . The target of the malware is still unclear as although it has been identified on 30,000 machines across the globe, it has not yet caused any damage.

The attack modes of Silver Sparrow

Silver Sparrow

Silver Sparrow is structured in 2 different but similar architectural logics, it affects both Macs on a base
Intel that based on M1. The Intel version consists of a .pkg package.

As indicated on the Malwarebytes blog , the malicious application is distributed through an installation file called update.pkg or updater.pkg which, once launched, asks for user confirmation to carry out a verification in order to determine if the software can be installed.

Obviously, this is the last chance to cancel the operation and avoid getting infected. The malware will then execute some Javascript code to insert a launcher that will execute the code present in the verx.sh script every hour, which will contact a server on Amazon AWS receiving some data and will search for the ~ / Library / .insu.

The latter, apparently, is devoid of content and only serves the malware as a reference to finish execution. Among the data that the malware receives from the AWS server is the "downloadUrl" field which, at the time of this writing, does not present any arguments, but we know that, potentially, it could download further malicious code on infected machines, causing damage at the moment unknown .

If that wasn't enough, Apple has revoked the used for developer account certificates
sign packages to prevent infecting other Macs.

What do we know about this new malware at the moment

What we currently know about Silver Sparrow:

  • Apparently it was created to use the Mac as a Marshalling Port. The material that should be sorted is still unknown.
  • It connects to the reference server every hour to check if there are any commands to execute
  • It is equipped with an internal self-destruct mini algorithm

For the moment, the malware appears to be in a dormant phase, waiting for its full version to be released. If you are still in doubt, in the meantime you can check if your Mac has been infected by scanning with the updated version of MalwareBytes which includes the patch for traces of malicious software.

Curated by Giulio Montanaro.

Article Silver Sparrow: Silent Malware Infecting Macs Comes from Tech CuE | Close-up Engineering .