how to detect silver sparrow

I’d recommend using Malwarebytes. mac viruses are pretty rare. Malware, however is not. Do not, under any circumstances download and install anything that claims to clean your Mac from junk or fix your Mac. Those cause way more problems than they solve...

here’s a little info on this dirty birdy: (link)

https://redcanary.com/blog/clipping-silver-sparrows-wings/

and more (‘nother link)

https://threatpost.com/silver-sparrow-malware-30k-macs/164121/

please note that Silver Sparrow only targets M1 macs, the latest ones, eg the M1 mac mini and the M1 mac notebook... technically it might run on any Intel Mac... but the only way it could run is if the Mac in question had an M1 chip in it... and it’s only a potential threat at best...it hasn’t become an actual threat yet

hope this helps you

john b

As Johnb-one pointed out it's for M1 Macs only so if you have a 27" iMac you don;'t have an M1 Mac so don't worry about it. The free version of Malwarebytes. is the only app you need to use if you think you've been infected with adware or malware. It was developed by a long time contributor to these forums and a highly respected member of the computer security community. There are no known viruses for Mac so any of the A/V apps are a waste of money and potential problems for Macs.

Just some food for thought: there is no reason to ever install or run any 3rd party "cleaning", "optimizing", "speed-up", anti-virus, VPN or security apps on your Mac.  This user tip describes what you need to know and do in order to protect your Mac: Effective defenses against malware and other threats - Apple Community   

Check your “About This Mac” window. If it says you have an Intel processor, it's an “Intel-based Mac” and not an Apple Silicon (currently, only “M1”) one. Here's my About

PS: The reports *I* read said there were versions for both Intel & Apple Silicon. I do not claim to know this for a fact but urge caution in believing anybody who says it's *ONLY* on M1.

can someone comment about what is meant by M1 Mac? This designation doesn't show up when I use the tool to look at my Mac information (about this Mac). The news articles say "code that runs natively on Apple's in-house M1 chip that was released in November". But nowhere does anyone mention the models or years or other identifying information. This information could be available by researching the Mac. When I look at Mac's release information for the M1 chip, it looks like you would be able to determine that you have an M1 chip by using "about this Mac" and it should show on the first tab, something like MacBook Pro (M1, 2020). Can anyone confirm that? That means that if I don't see that, I don't have an M1 chip.

ok. so we agree. the answer to the question is, use About this Mac, look to see if you have an M1 chip. If you do, you could use some malware software to detect the silver sparrow? Since I don't have an M1 Mac, I will stop here. If someone does have an M1 chip, perhaps you can share if the software listed is showing you whether you have this particular problem or not? It sounds like most people would not have that chip and I wonder if Apple will take steps to make it safe for current and future buyers.

I literally just scanned my M1 chipped MacBook with the Malwarebytes free trial mentioned above and it shows nothing was detected. Is it because I just bought my machine in November and predominantly use it for Zoom, a bit of online library research, and the rare Netflix/Amazon viewing? Perhaps.

@ChefJoseph - this is inaccurate - it is actually one of the easiest apps to uninstall that doesn't require just moving to the trash. With MalwareBytes open, simply click "Help" up in the menubar and then "Uninstall" > That easy!

For those that are curious about M1 Mac, those are the Macs that are so far made with Apple's Processors (as opposed to Intel) that were released in November (Mac Mini, MacBook Air, and 13" MacBook Pro with M1 Apple Silicon)

These Macs use Apple's own processor (like in the iPhone and iPads - just beefier) rather than Intel.

With respect to this new Malware - you will probably not have it. Just use free version of Malwarebytes (very trusted) to scan - and then remove MalwareBytes (or keep it - up to you!).

This Malware has been around for a little while. See the first couple of posts in this thread for great information as well.

And the article says

”But the company stands by its commitment to safety when it comes to protecting Macs. Apple says that any software downloaded outside of the Mac App Store uses technical mechanisms (including its notary service) to detect malware and then block it so that it can't run.”

From their blog post: https://redcanary.com/blog/clipping-silver-sparrows-wings/, you can take a look at the Indicators of Compromise section to see if you were infected. You can check the existence of files to see if your machine got compromised.

In Versions 1 & 2

~/Library/._insu (empty file used to signal the malware to delete itself)
/tmp/agent.sh (shell script executed for installation callback)
/tmp/version.json (file downloaded from from S3 to determine execution flow)
/tmp/version.plist (version.json converted into a property list)

Malware Version 1

File name: updater.pkg (installer package for v1)
MD5: 30c9bc7d40454e501c358f77449071aa
File name: updater (bystander Mach-O Intel binary in v1 package)
MD5: c668003c9c5b1689ba47a431512b03cc
mobiletraits.s3.amazonaws[.]com (S3 bucket holding version.json for v1)
~/Library/Application Support/agent_updater/agent.sh (v1 script that executes every hour)
/tmp/agent (file containing final v1 payload if distributed)
~/Library/Launchagents/agent.plist (v1 persistence mechanism)
~/Library/Launchagents/init_agent.plist (v1 persistence mechanism)
Developer ID Saotia Seay (5834W6MYX3) – v1 bystander binary signature revoked by Apple

Malware Version 2

File name: update.pkg (installer package for v2)
MD5: fdd6fb2b1dfe07b0e57d4cbfef9c8149
tasker.app/Contents/MacOS/tasker (bystander Mach-O Intel & M1 binary in v2)
MD5: b370191228fef82635e39a137be470af
specialattributes.s3.amazonaws[.]com (S3 bucket holding version.json for v2)
~/Library/Application Support/verx_updater/verx.sh (v2 script that executes every hour)
/tmp/verx (file containing final v2 payload if distributed)
~/Library/Launchagents/verx.plist (v2 persistence mechanism)
~/Library/Launchagents/init_verx.plist (v2 persistence mechanism)
Developer ID Julie Willey (MSZ3ZH74RK) – v2 bystander binary signature revoked by Apple

Thank you for the information about Malwarebytes. I have a new M1 chip Macbook Air and saw the story about silver sparrow on the noon news. I was worried about my new Mac and I'm not very techno-savvy but the Malwarebytes site is very user friendly and the video of how to install was a huge help. Thankfully my Mac is clean. I think I will get the premium service so I won't have to worry about any malware. Thanks!!

There doesn't seem to be an answer to the original question here

How do you detect Silver Sparrow. What if you look for the files mentioned in the security bulletin

below..will that work?

Upon executing Silver Sparrow it will leave two scripts on an infected disk: /tmp/agent.sh and ~/Library/Application Support/verx_updater/verx.sh.

The agent.sh script executes immediately at the end of the installation to contact the C2 and register the infection, while the verx.sh script executes periodically, using a persistent LaunchAgent to contact a remote host for more information, including other payloads to execute.

Pretty sure it’s been answered above. Malwarebytes. Malware is known to change location of components of its payload.

Malwarebytes is the easiest way for those not in the know of how to locate the files.

found it in a friends Mac earlier tonight that way.

Thanks John, that was really helpful. Malwarebytes is great and although it's free if you use it manually, the subscription is worth the small amount of money.

Can I just remind folks to delete anything that says Adobe Flash Player Install as well (Adobe have stopped development for it so this is also malware).

Wow-I knew they stopped but had no idea. Every so often something from Adobe pops up and wants me to click to uninstall Adobe. Is that the malware or is it real? It would have a "remind me later" option which I always chose. I didn't want to remove Adobe because I thought some sites still use it. Thanks for the head's up!

To add onto this, Apple Support cites:

1. Prevent launch or execution of malware: App Store or Gatekeeper and Notarization

2. Block malware from running on customer systems: Gatekeeper, Notarization, and XProtect

3. Remediate malware that has executed: MRT