Cyber Protection Group hopes everyone stays warm, safe, and secure during this large winter storm!


Mac’s Newest Malware: Silver Sparrow

Apple released a new line of macs which include their newly developed M1 processors.  However, attackers took no time at all to develop malware to run on these systems.  Recently, nearly 30,000 macs have been discovered harboring a piece of malware named, “Silver Sparrow.”


Mac Processors

Until now, Apple used other manufacturers’ processors in their systems.  For the first time, Apple implemented their own manufactured processors into their newest lines of computers.  Named the M1 chip, Apple’s website claims “it delivers incredible performance, custom technologies, and revolutionary power efficiency.”  This chip contains integrated graphics with higher performance to power ratios compared to intel.  Additionally, the M1 chip integrates Apple’s latest neural engine which can execute 11 trillion operations per second.  With the ability to manufacture their own processors to compete with companies like Intel and AMD, the M1 processor is just one small step for the potentially giant leap Apple can make in computing.


Silver Sparrow Malware

Red Canary, the team that identified the malware, has been analyzing Silver Sparrow.  They discovered that it runs on the previous Intel x86_64 processors and Apple’s brand new M1 processors.  Additionally, they discovered two distributional forms: “updater.pkg”, that soley operates on the M1 processor, and “update.pkg”, that operates on both Intel and M1 processors.

Silver Sparrow does not seem to possess a direct purpose (as of right now at least).  Researcher and analysts at Red Canary do not see it downloading payloads, distributing payloads, or even executing commands at this time.  Furthermore, researchers have only observed it displaying a message on screen saying “Hello World” or “You did it!”  Despite the lack of obvious intentions, Silver Sparrow  may possess future intentions of malicious activity or act as a form of malware in development for M1 processors.

Finally, traditional malware attaches itself to other executable programs, or contains code to install additional malware.  However, Silver Sparrow utilizes JavaScript API to execute its commands.  By using JavasScript, Silver Sparrow makes it easier to hide itself and harder for security tools to detect its behavior.


How to Avoid Those Sparrows

Perhaps you own a new Apple product with their new M1 chip or see those “Hello World” and “You did it!” messages.  If so, you can download a program called Malwarebytes.  Malwarebytes is a free antivirus and antimalware program that can detect Silver Sparrow in their latest update.  Furthermore, the researchers at Red Canary issued statements that contain a checklist to look for Silver Sparrow.

  • Look for a process that appears to be PlistBuddy executing in conjunction with a command line containing the following: LaunchAgents and RunAtLoad and true. This analytic helps us find multiple macOS malware families establishing LaunchAgent persistence.
  • Look for a process that appears to be sqlite3 executing in conjunction with a
    command line that contains: LSQuarantine. This analytic helps us find multiple macOS malware families manipulating or searching metadata for downloaded files.
  • Look for a process that appears to be curl executing in conjunction with a command line that contains: This analytic helps us find multiple macOS malware families using S3 buckets for distribution.

With early finding and analysis, hopefully Silver Sparrow can be mitigated before it causes a severe impact.  Additionally, Apple can learn from Silver Sparrow’s behavior and increase its security hardening efforts for its new M1 processors.