Researchers at Red Canary recently broke news of a novel new macOS infection dubbed Silver Sparrow. Given headlines that suggest this is a new malware threat that has infected “30,000 devices”, targets both Intel and Apple Silicon M1 devices, and has “security pros stumped”, end users and enterprise security teams alike are expressing concerns about what Silver Sparrow is, whether they are protected (spoiler: if you are a SentinelOne customer, yes you are) and how they can hunt for it on devices that are not protected by a modern next-gen security platform. In this post, we explain what Silver Sparrow is, how dangerous it is, and whether you should be concerned about it.
Silver Sparrow is the name given to an infection threat identified by researchers that uses the Apple installer package format and a novel mechanism for running a preinstall script.
While the installer package, readily identifiable from the
.pkg file extension, typically uses dedicated preinstall and postinstall shell scripts for preparing and cleaning up software installations, Silver Sparrow takes a different approach and (ab)uses the Distribution file to run JavsScript code during the installation process.
The Distribution file contains over 100 lines of code which function to:
agentNamesare “virx” and “agent”) in
That all sounds worrisome, but despite the headlines, there is no imminent threat to users or enterprises from the Silver Sparrow malware. The 30,000 infections reported in the media may or may not be an accurate count, but the fact is that number is based on researchers detecting two variants, neither of which have delivered a payload to date, and more importantly, neither of which can deliver a payload any longer.
The original research title was apt, but ignored by many commentators: “Clipping Silver Sparrow’s Wings: Outing macOS malware before it takes flight”. The title reflects the fact that not only have new installations been blocked by Apple revoking the installers’ signatures but also existing installations cannot deliver a payload since the hardcoded URLs, located on AWS S3 instances, have also been taken down by Amazon. It’s worth repeating for those that didn’t read the original research: no payload was ever delivered prior to the actions taken by Apple and Amazon.
Importantly, if you inspect the Silver Sparrow installer package in a tool like ‘Suspicious Package’, you will not be able to see the malicious script.
Analysts can use the shareware tool Pacifist to inspect the Distribution file, however:
The second reason is that Silver Sparrow is another example of recently compiled malware that targets both of Apple’s hardware architectures: Intel and Apple Silicon.
Seeing malware target the new ARM architecture creates a lot of interest, but that is entirely expected. Basically, any software developer creating or compiling any software using the latest version of Xcode will by default create a universal binary that contains binaries for both Intel and ARM architectures.
So while this is still relatively new (given that Apple Silicon is relatively new), expect to see this increasingly going forward.
As noted above, Silver Sparrow is a dropper and persistence mechanism, but there has to date been no known payload. However, from the way the observed components work, we can make some reasonable inferences about what kind of malware Silver Sparrow was designed to deliver.
First, note that the installer uses a ‘tried and tested’ technique typical of adware for campaign tracking. This technique involves scraping the download URL from the user’s LSQuarantineEvents database.
That in itself suggests that Silver Sparrow is likely selling itself as a mechanism to 3rd party “affiliates” or pay-per-install (PPI) partners. The existence of this technique shows that the developers are aiming to monetize the delivery of payloads, and as such puts it firmly in the category of commodity adware/malware.
Second, the Silver Sparrow installer packages observed to date contained what the original researchers called ‘bystander apps’: dummy apps that have no perceived purpose. This suggests that the authors may have been trialling the delivery mechanism in order to later offer it to “bundleware” clients that wrap free or cracked apps around the malicious installer, a technique that is widely used by commodity adware and PUP installers.
None of the above is a reason not to be concerned. Adware and PUPs are nuisances at best and security concerns at worst. Fortunately, there is very little risk of infection from this threat at the current time.
SentinelOne customers are protected from all known samples of Silver Sparrow, and we are actively engaged in tracking and blocking any new variants of this threat. If you are not a SentinelOne customer yet, the good news is that there is a universal kill switch that can keep you protected. The Silver Sparrow persistence agent runs a program that uninstalls the malware in the event that a certain zero byte file exists in the Users Library folder.
You can create such a file using the
touch command, like so:
Again, it is worth reiterating that none of the known samples are capable of either installing or delivering a payload, so even those unprotected users that may have previously ran the Silver Sparrow installer before it was blocked cannot now receive a payload.
Despite the fact that the Silver Sparrow has no known payload, the mechanism is an interesting proof of concept. Security teams and individuals can look for the following indicators of compromise:
Silver Sparrow represents a novel infection mechanism but to date has no known malicious payload. While users are right to be concerned about any new threat that appears to bypass static signature mechanisms, current evidence suggests that Silver Sparrow is a proof of concept set up by an actor looking to sell an install mechanism to adware/PPI clients.