How to see if Silver Sparrow malware is hiding on your Mac?

A new malware that targets both M-series as well as Intel Macs has affected about 30.000 systems in 153 countries. The malware is called "Silver sparrow"But at the moment many details are not known about how it was distributed and the purpose of the attacks on Mac computers.

Some information about Silver Sparrow

It is said that Silver Sparrow takes advantage of one vulnerability in macOS Installer JavaScript API in order to execute dangerous commands. Its security researchers Red Canary they say the only payload found are two placeholder apps. The version for the M-series Macs displays only one message that says: "You did it!".

Experts have so far not found any malicious or dangerous behavior of the malware.

However, as mentioned, it can affect both Intel and M-series Macs. And she the feature makes it almost unique. Η Apple introduced the first Macs with the M1 processor in November 2020. It seems from the creation of Silver Sparrow, cyber criminals did not take long to target these systems.

The first report on Silver Sparrow was published just a few days ago, on February 18th. Therefore, Investigators security still collect information, while as we said before, they do not yet know how to distribute.

However, they have discovered some of the files that malware adds to an infected Mac. According to Red Canary researchers, these archives include:

• ~ / Library /._ insu
• /tmp/agent.sh
• /tmp/version.json
• /tmp/version.plist

A search with Finder (macOS file manager) can detect them. A computer that has the above archives is most likely infected.

There are two versions malware. One only infects Intel Macs. The other version infects both.

How to find the Silver Sparrow version targeting M-series and Intel Macs?

The version that can affect Mac M-series or Intel comes through:

update.pkg

MD5: fdd6fb2b1dfe07b0e57d4cbfef9c8149

The payload is:

tasker.app/Contents/MacOS/tasker

MD5: b370191228fef82635e39a137be470af

This version of Silver Sparrow also creates:

• specialattributes.s3.amazonaws [.] com
• ~ / Library / Application Support / verx_updater / verx.sh
• / tmp / verx
• ~ / Library / Launchagents / verx.plist
• ~ / Library / Launchagents / init_verx.plist

Again, a search with macOS file manager may display the above in an infected device.

The developer ID of the payload is Julie Willey (MSZ3ZH74RK). THE Apple revoked this account to prevent the further spread of Silver Sparrow.

How to discover it original version of Silver Sparrow aiming only Intel Macs;

The version that affects Intel-based Macs comes through:

updater.pkg

MD5: 30c9bc7d40454e501c358f77449071aa

The payload is:

File name: updater

MD5: c668003c9c5b1689ba47a431512b03cc

This version of malware also creates:

• mobiletraits.s3.amazonaws [.] com
• ~ / Library / Application Support / agent_updater / agent.sh
• / tmp / agent
• ~ / Library / Launchagents / agent.plist
• ~ / Library / Launchagents / init_agent.plist

The binary signature of the payload comes from Developer ID Saotia Seay (5834W6MYX3), which has also been removed from Apple.

If you are worried about safety of your Mac, it would be good to look for the above items. If you find any of these, then you are probably infected with Silver Sparrow.

Source: Cult of Mac