Silver Sparrow – MacOS Malware in Development

A new and widespread infection

Silver Sparrow is malicious software that infects Mac devices. For now, it does not install any malware. But it’s a threat nevertheless. Red Canary discovered Silver Sparrow and released a report on it on February 18.

The report says that Silver Sparrow can be traced back to at least August 2020. In February of 2021, it was discovered to have infected thirty thousand computers all over the world (in 153 countries!). This is the number of infections seen by Malwarebytes. Since not all Mac owners use Malwarebytes, the real number of Silver Sparrow infections is probably much higher.

It was noted by the Red Canary researchers that Silver Sparrow runs natively on the new M1 Macs. This is interesting – it shows that Silver Sparrow is new. It’s probably still being actively developed.

Indeed, researchers say that Silver Sparrow contained a “Hello World” program (Wikipedia) which might have been a placeholder for a more serious payload.

A Sparrow and the Apple logo.

Harmless, for now

Once Silver Sparrow is installed, it reports back to its operators. It sends the device’s unique identifier (UUID) and the address which downloaded the Silver Sparrow malware onto the Mac.

After that, Silver Sparrow does nothing malicious. But it checks constantly for new instructions. It downloads a file every hour and reads it to see if it has new content. So far, the payload been empty. But this could change in the future.

I’ve seen people say that the media is sensationalizing the story and that Silver Sparrow is harmless. For now, that’s true. But, in theory, Silver Sparrow could be used to download spyware or other malware on the infected Macs. It’s very important to be aware of this threat.

The Red Canary researchers also noted that Silver Sparrow is able to delete itself. It checks for a particular file and deletes itself if it finds it.

The researchers at Red Canary suspect that Silver Sparrow is spread by malicious ads and redirects online, specifically names malicious search engine results.

Adware infections (such as Shlayer and AdLoad) cause infected Macs to open unwanted and even dangerous websites.

Sometimes, adware infections change Network settings, forcing the victims’ traffic to go through a malicious server.

And it’s possible to encounter dangerous websites even when your Mac is squeaky clean. Advertisements get infected with dangerous content.

Check Red Canary’s report to see the more technical details, including what files you could expect to find in your Tmp and Library folders if Silver Sparrow has infected your Mac.

By now, antivirus vendors have made sure that their products detect Silver Sparrow and warn their users: The detection labels include:

  • Trojan
  • Malware
  • OSX/Agent.BL
  • Downloader
Leave a Reply

Your email address will not be published. Required fields are marked *

Recent Posts

Security Guides

Recent Comments