Jamf Blog
February 22, 2021 by Matthias Wollnik

Silver Sparrow Mac-specific malware

The new Mac-focused malware Silver Sparrow has been found on more than 29k macOS endpoints, and it runs natively on the Intel or M1 chips. Luckily, this appears to have been laying a foundation for a future payload and so far appears benign. And you can find and remove it.

Early days of a Mac attack campaign

This weekend, the team at Red Canary wrote about a new Mac-focused malware they dubbed Silver Sparrow. Now, identifying new malware is a common activity for research teams across the globe. However, few groups are spending time looking for Mac-specific malware, let alone identifying one of the more interesting examples of a threat framework as it’s growing. It's great to see more researchers interested in Mac malware.

What is Silver Sparrow?

While we suggest you read through the report in detail, here are some of the highlights:

  • Silver Sparrow is Mac-specific malware. This does not appear to be a cross-platform attack.

  • This malware has been found in the wild on more than 29k macOS endpoints, but the first examples were submitted to VirusTotal on August 31, 2020.
  • There are two versions of the malware making the rounds: one for Intel-based Macs and one that is a universal binary that attacks M1-based Macs natively.

Image source: redcanary.com

Version 1: updater.pkg -> JavaScript code -> Intel x86_64 bystander binary updater -> Silver Sparrow shell scripts: persistence, command and control, profit? Vers. 2: update.pkg -> JavaScript code -> Intel x86_64 & M1 ARM64 bystander binary update tasker

Aspects we haven't seen in Mac malware until now

As we dig into the malware in question, we can see some interesting aspects that we have not often seen in Mac malware up to this point:

  • The package (PKG or DMG file) uses preinstall/postinstall scripts to report back to the creators about the infection and achieve persistence.

  • These scripts leverage the system.run command to build two JavaScript files dynamically that perform the actual malware logic. This may be an attempt to make it more difficult to build signatures for anti-virus tools.
  • The JavaScript files report the installation and setup persistence via PlistBuddy for a Command and Control (C2) beacon respectively.
  • The C2 beaconing process attempts to retrieve a payload for the malware. However, up to this point, no payload has been identified.
  • A binary is included in the malware that does not seem to be run under any known circumstances. When purposefully executed, it opens up a window that shows the message “Hello, World” or “You did it.”

Of course, a full list of indicators of compromise (IOCs) is listed in the report.

Expect M1-targeted Mac attacks

As we discussed recently, M1-targeted attacks are not unexpected. Any malware built to attack Macs can theoretically be compiled to run on M1 devices directly. Unless something specific in the M1 architecture prevents the attack, the malware will run just fine. Even more so: thanks to Rosetta, even the Intel-targeted version of Mac malware will run on an M1 device.

Malware authors see the same benefits to rebuilding their software for M1 as other developers do: Better performance and lower device impact. We really can’t blame them for adopting the M1 targeted universal binaries.

The question comes down to this: how do we identify and prevent these attacks?

Luckily, this malware appears benign today. Since there is no payload being distributed and the malware without the payload seems to only achieve persistence, the main impact is the potential risk of a future payload, potential exposure of device/network information, and resource consumption. What this does look like is the start of a bigger malware campaign against Macs.

Similar to bot-nets

Malware frameworks like this have been discovered on Windows for many years, but they have been a lot more sparse on Macs. Oftentimes, we’ve referred to them as bot-nets. These kinds of attack campaigns tend to start slow, spreading across many devices quietly until they are activated by the attackers by deploying specific capabilities. This looks like the early parts of a major Mac bot-net. Identifying and combating it now is much easier than trying to break it apart once it has gone active.

Identifying and removing Silver Sparrow from devices

The malware as it stands today is not overly difficult to identify and even remove from devices.

  • The list of known versions of the initial PKG/DMG file is short and hashes are available
  • The list of both static and dynamic files are well understood
  • We know how to identify the LaunchAgent persistence

For that matter, the developer certificate used to sign the initial binaries has been revoked by Apple.

Jamf Protect can help

Of course, Jamf Protect is here to help. We already prevent the execution of the existing (seemingly benign) payload through our Threat Prevention feature. We also prevent the beaconing activity in the shell command that alerts C2 servers to retrieve new workloads.

As we learn more about this malware, we’ll keep you up to date. If you are a Jamf Protect customer, please ensure you have Threat Prevention enabled to keep your devices safe against this and similar attacks.

Jamf Protect is purpose-built endpoint protection for the Mac.

Browse Blog
by Category:
Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.