A new malware dubbed Silver Sparrow has infected over 30,000 MacBooks this week. As of now, not much is known about Silver Sparrow since it has stayed inactive and has not executed or downloaded any additional payloads. However, security researchers from various companies have gained some insight on the malware.
Security researchers at Red Canary have identified two Silver Sparrow variants, with Version 1 attacking only Intel-based Macs, and Version 2 being developed to infect both Intel- and M1-based devices.
Interestingly, while the Intel-only version says, “Hello, World!” the M1-compatible variant displays the “You did it!” message.
It’s currently unclear how Silver Sparrow is spread. However, researchers noted that both Variant 1 and Variant 2 have “package” in their names, indicating that the threat is likely spread through malvertising and phishing tricks.
“We’ve found that many macOS threats are distributed through malicious advertisements as single, self-contained installers in PKG or DMG form, masquerading as a legitimate application—such as Adobe Flash Player—or as updates,” Red Canary wrote.
While Silver Sparrow’s infrastructure is hosted on the Amazon Web Services S3 cloud platform, some of its callback domains are hosted through Akamai’s content delivery network (CDN).
Researchers explain that this infrastructure allows the malware to remain under the radar because it will blend in with the normal overhead of cloud infrastructure traffic. Furthermore, most companies cannot afford to block access to resources in AWS and Akamai.
Once installed, Silver Sparrow will execute by using Apple’s system.run command. This execution has an additional advantage for the threat actor because macOS’ system.run code will allow the malicious installer to spawn multiple bash processes that can later be used to accomplish Silver Sparrows' objectives.
Once fully executed, Silver Sparrow will leave two scripts on the infected disk: /tmp/agent.sh and ~/Library/Application Support/verx_updater/verx.sh.
The agent.sh script will execute upon successful installation. It will establish a communication channel with a Command and Control (C2) server and will report the installation as successful.
The verx.sh script is programmed to execute periodically, using a persistent LaunchAgent to contact a remote host. This script is tasked to check for further commands, including checking for additional content to download and execute.