You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

how to detect silver sparrow

how do I check to see if my Mac is infected with silver sparrow?


iMac 27″, macOS 10.12

Posted on Feb 20, 2021 11:14 AM

Reply
Question marked as Top-ranking reply

Posted on Feb 20, 2021 11:31 AM

I’d recommend using Malwarebytes. mac viruses are pretty rare. Malware, however is not. Do not, under any circumstances download and install anything that claims to clean your Mac from junk or fix your Mac. Those cause way more problems than they solve...

here’s a little info on this dirty birdy: (link)

https://redcanary.com/blog/clipping-silver-sparrows-wings/

and more (‘nother link)

https://threatpost.com/silver-sparrow-malware-30k-macs/164121/

please note that Silver Sparrow only targets M1 macs, the latest ones, eg the M1 mac mini and the M1 mac notebook... technically it might run on any Intel Mac... but the only way it could run is if the Mac in question had an M1 chip in it... and it’s only a potential threat at best...it hasn’t become an actual threat yet


hope this helps you


john b


26 replies
Question marked as Top-ranking reply

Feb 20, 2021 11:31 AM in response to SBOly

I’d recommend using Malwarebytes. mac viruses are pretty rare. Malware, however is not. Do not, under any circumstances download and install anything that claims to clean your Mac from junk or fix your Mac. Those cause way more problems than they solve...

here’s a little info on this dirty birdy: (link)

https://redcanary.com/blog/clipping-silver-sparrows-wings/

and more (‘nother link)

https://threatpost.com/silver-sparrow-malware-30k-macs/164121/

please note that Silver Sparrow only targets M1 macs, the latest ones, eg the M1 mac mini and the M1 mac notebook... technically it might run on any Intel Mac... but the only way it could run is if the Mac in question had an M1 chip in it... and it’s only a potential threat at best...it hasn’t become an actual threat yet


hope this helps you


john b


Feb 20, 2021 2:24 PM in response to SBOly

As Johnb-one pointed out it's for M1 Macs only so if you have a 27" iMac you don;'t have an M1 Mac so don't worry about it. The free version of Malwarebytes. is the only app you need to use if you think you've been infected with adware or malware. It was developed by a long time contributor to these forums and a highly respected member of the computer security community. There are no known viruses for Mac so any of the A/V apps are a waste of money and potential problems for Macs.


Just some food for thought: there is no reason to ever install or run any 3rd party "cleaning", "optimizing", "speed-up", anti-virus, VPN or security apps on your Mac.  This user tip describes what you need to know and do in order to protect your Mac: Effective defenses against malware and other threats - Apple Community   


Feb 22, 2021 4:45 PM in response to westred

Check your “About This Mac” window. If it says you have an Intel processor, it's an “Intel-based Mac” and not an Apple Silicon (currently, only “M1”) one. Here's my About



PS: The reports *I* read said there were versions for both Intel & Apple Silicon. I do not claim to know this for a fact but urge caution in believing anybody who says it's *ONLY* on M1.

Feb 21, 2021 11:56 AM in response to Johnb-one

can someone comment about what is meant by M1 Mac? This designation doesn't show up when I use the tool to look at my Mac information (about this Mac). The news articles say "code that runs natively on Apple's in-house M1 chip that was released in November". But nowhere does anyone mention the models or years or other identifying information. This information could be available by researching the Mac. When I look at Mac's release information for the M1 chip, it looks like you would be able to determine that you have an M1 chip by using "about this Mac" and it should show on the first tab, something like MacBook Pro (M1, 2020). Can anyone confirm that? That means that if I don't see that, I don't have an M1 chip.

Feb 21, 2021 12:04 PM in response to Old Toad

ok. so we agree. the answer to the question is, use About this Mac, look to see if you have an M1 chip. If you do, you could use some malware software to detect the silver sparrow? Since I don't have an M1 Mac, I will stop here. If someone does have an M1 chip, perhaps you can share if the software listed is showing you whether you have this particular problem or not? It sounds like most people would not have that chip and I wonder if Apple will take steps to make it safe for current and future buyers.

Feb 21, 2021 9:24 PM in response to ChefJoseph

@ChefJoseph - this is inaccurate - it is actually one of the easiest apps to uninstall that doesn't require just moving to the trash. With MalwareBytes open, simply click "Help" up in the menubar and then "Uninstall" > That easy!


For those that are curious about M1 Mac, those are the Macs that are so far made with Apple's Processors (as opposed to Intel) that were released in November (Mac Mini, MacBook Air, and 13" MacBook Pro with M1 Apple Silicon)


These Macs use Apple's own processor (like in the iPhone and iPads - just beefier) rather than Intel.


With respect to this new Malware - you will probably not have it. Just use free version of Malwarebytes (very trusted) to scan - and then remove MalwareBytes (or keep it - up to you!).


This Malware has been around for a little while. See the first couple of posts in this thread for great information as well.

Feb 22, 2021 7:24 AM in response to SBOly

From their blog post: https://redcanary.com/blog/clipping-silver-sparrows-wings/, you can take a look at the Indicators of Compromise section to see if you were infected. You can check the existence of files to see if your machine got compromised.


In Versions 1 & 2

~/Library/._insu (empty file used to signal the malware to delete itself)
/tmp/agent.sh (shell script executed for installation callback)
/tmp/version.json (file downloaded from from S3 to determine execution flow)
/tmp/version.plist (version.json converted into a property list)


Malware Version 1

File name: updater.pkg (installer package for v1)
MD5: 30c9bc7d40454e501c358f77449071aa
File name: updater (bystander Mach-O Intel binary in v1 package)
MD5: c668003c9c5b1689ba47a431512b03cc
mobiletraits.s3.amazonaws[.]com (S3 bucket holding version.json for v1)
~/Library/Application Support/agent_updater/agent.sh (v1 script that executes every hour)
/tmp/agent (file containing final v1 payload if distributed)
~/Library/Launchagents/agent.plist (v1 persistence mechanism)
~/Library/Launchagents/init_agent.plist (v1 persistence mechanism)
Developer ID Saotia Seay (5834W6MYX3) – v1 bystander binary signature revoked by Apple


Malware Version 2

File name: update.pkg (installer package for v2)
MD5: fdd6fb2b1dfe07b0e57d4cbfef9c8149
tasker.app/Contents/MacOS/tasker (bystander Mach-O Intel & M1 binary in v2)
MD5: b370191228fef82635e39a137be470af
specialattributes.s3.amazonaws[.]com (S3 bucket holding version.json for v2)
~/Library/Application Support/verx_updater/verx.sh (v2 script that executes every hour)
/tmp/verx (file containing final v2 payload if distributed)
~/Library/Launchagents/verx.plist (v2 persistence mechanism)
~/Library/Launchagents/init_verx.plist (v2 persistence mechanism)
Developer ID Julie Willey (MSZ3ZH74RK) – v2 bystander binary signature revoked by Apple


Feb 22, 2021 9:30 AM in response to Johnb-one

Thank you for the information about Malwarebytes. I have a new M1 chip Macbook Air and saw the story about silver sparrow on the noon news. I was worried about my new Mac and I'm not very techno-savvy but the Malwarebytes site is very user friendly and the video of how to install was a huge help. Thankfully my Mac is clean. I think I will get the premium service so I won't have to worry about any malware. Thanks!!

Feb 22, 2021 10:44 AM in response to SBOly

There doesn't seem to be an answer to the original question here

How do you detect Silver Sparrow. What if you look for the files mentioned in the security bulletin

below..will that work?

Upon executing Silver Sparrow it will leave two scripts on an infected disk: /tmp/agent.sh and ~/Library/Application Support/verx_updater/verx.sh.


The agent.sh script executes immediately at the end of the installation to contact the C2 and register the infection, while the verx.sh script executes periodically, using a persistent LaunchAgent to contact a remote host for more information, including other payloads to execute.

how to detect silver sparrow

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.