A new malware dubbed Silver Sparrow has infected over 30,000 MacBooks this week. As of now, not much is known about Silver Sparrow since it has stayed inactive and has not executed or downloaded any additional payloads. However, security researchers from various companies have gained some insight on the malware.
Security researchers at Red Canary have identified two Silver Sparrow variants, with Version 1 attacking only Intel-based Macs, and Version 2 being developed to infect both Intel- and M1-based devices.
Both variants have external Mach-O binaries that have no role in the installation except to “give the PKG something to distribute outside the JavaScript execution,” experts explain. This inclusion was likely made to make the package look legitimate.
Interestingly, while the Intel-only version says, “Hello, World!” the M1-compatible variant displays the “You did it!” message.
Table of Contents
Malware Distribution
It’s currently unclear how Silver Sparrow is spread. However, researchers noted that both Variant 1 and Variant 2 have “package” in their names, indicating that the threat is likely spread through malvertising and phishing tricks.
“We’ve found that many macOS threats are distributed through malicious advertisements as single, self-contained installers in PKG or DMG form, masquerading as a legitimate application—such as Adobe Flash Player—or as updates,” Red Canary wrote.
Cloud Infrastructure
While Silver Sparrow’s infrastructure is hosted on the Amazon Web Services S3 cloud platform, some of its callback domains are hosted through Akamai’s content delivery network (CDN).
Researchers explain that this infrastructure allows the malware to remain under the radar because it will blend in with the normal overhead of cloud infrastructure traffic. Furthermore, most companies cannot afford to block access to resources in AWS and Akamai.
Malware Payload
Silver Sparrow uses an uncommon macOS payload that is based on JavaScript programming language. According to the analysis, Silver Sparrow will use the macOS Installer JavaScript API to execute suspicious commands.
Such payload executions have additional bonuses for the malicious actor. Researchers note that by running malicious JavaScript commands through the legitimate macOS Installer, the malware is very likely to remain hidden because the Installer limits the visibility of the content within the installation package.
Once installed, Silver Sparrow will execute by using Apple’s system.run command. This execution has an additional advantage for the threat actor because macOS’ system.run code will allow the malicious installer to spawn multiple bash processes that can later be used to accomplish Silver Sparrows' objectives.
Once fully executed, Silver Sparrow will leave two scripts on the infected disk: /tmp/agent.sh and ~/Library/Application Support/verx_updater/verx.sh.
The agent.sh script will execute upon successful installation. It will establish a communication channel with a Command and Control (C2) server and will report the installation as successful.
The verx.sh script is programmed to execute periodically, using a persistent LaunchAgent to contact a remote host. This script is tasked to check for further commands, including checking for additional content to download and execute.
Leave a Reply
Thank you for your response.
Please verify that you are not a robot.