3/23/2023 0 Comments File buddy for macIn order of appearance, the first novel and noteworthy thing about Silver Sparrow is that its installer packages leverage the macOS Installer JavaScript API to execute suspicious commands. Both versions use the same techniques to execute, differing only in the compilation of the bystander binary. In this case, however, the adversary distributed the malware in two distinct packages: updater.pkg and update.pkg. We’ve found that many macOS threats are distributed through malicious advertisements as single, self-contained installers in PKG or DMG form, masquerading as a legitimate application-such as Adobe Flash Player-or as updates. This is significant because the M1 ARM64 architecture is young, and researchers have uncovered very few threats for the new platform.Īs we’ll explain in detail in the technical analysis, the Mach-O compiled binaries don’t seem to do all that much-at least not as of this writing-and so we’ve been calling them “bystander binaries.” The following image represents a high-level look at the two versions of Silver Sparrow malware. In the second version, the adversary included a Mach-O binary compiled for both Intel x86_64 and M1 ARM64 architectures ( tasker MD5: b370191228fef82635e39a137be470af). The first version contained a Mach-O binary compiled for Intel x86_64 architecture only ( updater MD5: c668003c9c5b1689ba47a431512b03cc). Outside of a change in download URLs and script comments, the two versions had only one major difference. Our investigation uncovered two versions of Silver Sparrow malware, which we will refer to as “version 1” and “version 2” throughout this post (see the Indicators of Compromise section for a summary of indicators surrounding these two samples):įile name: updater.pkg (installer package for v1)įile name: update.pkg (installer package for v2) A list of indicators that we’ve encountered while investigating this threat.Guidance on detection opportunities for Silver Sparrow.An explanation of intelligence gaps and blindspots.A technical analysis of two Silver Sparrow malware samples.The rest of this post will be organized into the following sections: Given these causes for concern, in the spirit of transparency, we wanted to share everything we know with the broader infosec industry sooner rather than later. Though we haven’t observed Silver Sparrow delivering additional malicious payloads yet, its forward-looking M1 chip compatibility, global reach, relatively high infection rate, and operational maturity suggest Silver Sparrow is a reasonably serious threat, uniquely positioned to deliver a potentially impactful payload at a moment’s notice. Thanks to contributions from Erika Noerenberg and Thomas Reed from Malwarebytes and Jimmy Astle from VMware Carbon Black, we quickly realized that we were dealing with what appeared to be a previously undetected strain of malware.Īccording to data provided by Malwarebytes, the Silver Sparrow activity cluster affected 29,139 macOS endpoints across 153 countries as of February 17, including high volumes of detection in the United States, the United Kingdom, Canada, France, and Germany. We’ve dubbed this activity cluster “Silver Sparrow.” The novelty of this downloader arises primarily from the way it uses JavaScript for execution-something we hadn’t previously encountered in other macOS malware-and the emergence of a related binary compiled for Apple’s new M1 ARM64 architecture. However, our investigation almost immediately revealed that this malware, whatever it was, did not exhibit the behaviors that we’ve come to expect from the usual adware that so often targets macOS systems. Other teams may cluster this activity differently based on their assessments.Įarlier this month, Red Canary detection engineers Wes Hurd and Jason Killam came across a strain of macOS malware using a LaunchAgent to establish persistence. A subset of those 29,139 machines were infected by one of the two malicious packages described in this blog, while the majority contained the `._insu` file check and were therefore affected by the overall Silver Sparrow activity cluster as we define it. One file we chose to include in the cluster is the `._insu` file that seems to instruct the malware to remove itself from an endpoint. This distinction may seem small, but it’s important because the Silver Sparrow activity cluster comprises multiple artifacts, including clearly malicious files and unusual or suspicious ones too. UPDATE on : A previous version of this blog stated that, “…Silver Sparrow had infected 29,139 macOS endpoints….” We have updated it to state that the Silver Sparrow activity cluster affected 29,139 macOS endpoints.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |