30,000 Macs Infected With Silver Sparrow Malware

image credit: Scully & Scully

published by Chand Bellur
February 23, 2021 at 5:16 p.m.

 

  • Security researchers from Red Canary discovered new malware infecting 30,000 Macs.
  • The malicious software, dubbed “Silver Sparrow”, infects machines inconspicuously through an app installer.
  • Silver Sparrow contains no payload; it only installs a backdoor into the user’s Macintosh.
  • The newest version of Silver Sparrow can infect M1 processor Macs.

Silver Sparrow Infects 30,000 Macs

Malware of unknown origin has already infected 30,000 Macs throughout the world. Known as Silver Sparrow, the malicious software infects computers by exploiting the app installation process. Users click on an ad to download an app, such as Adobe Flash, but end up installing potentially harmful malware instead. The software, capable of evading Apple’s security systems, sets up a sort of back door for future activity.

This latest round of Mac malware demonstrates that virtually no computer is safe from attack. It comes soon after Google’s Project Zero revealed that a remote attacker could completely control iPhones. The Windows world is still recovering from the SolarWinds Orion hack, which may be the worst in computing history.

Silver Sparrow Hijacks Installation Process

Silver Sparrow is unique because it’s the first malware to leverage the macOS installer’s JavaScript API. By using this method, the malicious software evades detection, leaving a minimal footprint. The macOS installer offers little transparency, enabling this novel exploit.

During installation, the malware creates a series of functions using JavaScript. These simple tools allow Silver Sparrow to run command-line scripts, installing its components. The malware sets up communications between its client app and a server, hosted right in the open, in Amazon’s data center.

Silver Sparrow’s resemblance to standard software, to the point of being hosted on AWS S3, made it easier to evade detection. In every respect, it appears to be conventional software until examination of its contents.

Silver Sparrow Harmless, So Far

Through both of its versions, Silver Sparrow never harbored an actual payload — the executable and destructive feature of malware. Instead, it set up a backdoor to install some future exploit.

The malware hooks into macOS’s LaunchAgent feature. The service allows apps to execute scripts at defined intervals. Silver Sparrow uses this scheduler to check for and install updates; however, researchers never found any additional components delivered.

Silver Sparrow also includes an innovative means to delete itself. A remote system can delete the malicious software by pushing a specific file live, presumably to evade detection.

Silver Sparrow is Sophisticated

The latest malware targeting Macs is likely the work of an experienced hacking group. It’s possible, given the level of sophistication, that a state-sponsored group created the malicious software. At this time, however, it’s unknown who is behind Silver Sparrow.

It should be possible to trace down some point of origin. After all, the hackers are hosting their server-side components in Amazon’s data center. Someone must be paying the bills. Perhaps following the money will yield an answer as to who created the virus and for what ends.

How to Remove Silver Sparrow

Thanks to Red Canary’s discovery, Apple will be able to address Silver Sparrow promptly. Expect a future macOS update to patch the security flaw and remove the malware, if present. Although Apple has revoked the malicious software developers’ digital certificates, the hackers can generate another.

If you haven’t downloaded any Mac software from the web in the past seven months, it’s unlikely your computer was infected. Major software vendors often choose to bypass the App Store and distribute software on the web.

If you installed well-known software from its original domain on the web, you’re fine. For example, installing Ableton Live from Ableton.com will not put you at risk for malware infection. If you installed Adobe Flash from some shady website, you might have Silver Sparrow on your system.

Although it’s possible to delete Silver Sparrow manually, this is a task suited for more advanced users. Appledystopia recommends waiting for Apple’s software update. If you’re inclined to do this yourself, Red Canary provides in-depth information on detecting the malware and where its components reside in the file system.

Leave a comment

Your email address will not be published.