how do I check to see if my Mac is infected with silver sparrow?
iMac 27″, macOS 10.12
From their blog post: https://redcanary.com/blog/clipping-silver-sparrows-wings/, you can take a look at the Indicators of Compromise section to see if you were infected. You can check the existence of files to see if your machine got compromised.
In Versions 1 & 2
~/Library/._insu (empty file used to signal the malware to delete itself)
/tmp/agent.sh (shell script executed for installation callback)
/tmp/version.json (file downloaded from from S3 to determine execution flow)
/tmp/version.plist (version.json converted into a property list)
Malware Version 1
File name: updater.pkg (installer package for v1)
MD5: 30c9bc7d40454e501c358f77449071aa
File name: updater (bystander Mach-O Intel binary in v1 package)
MD5: c668003c9c5b1689ba47a431512b03cc
mobiletraits.s3.amazonaws[.]com (S3 bucket holding version.json for v1)
~/Library/Application Support/agent_updater/agent.sh (v1 script that executes every hour)
/tmp/agent (file containing final v1 payload if distributed)
~/Library/Launchagents/agent.plist (v1 persistence mechanism)
~/Library/Launchagents/init_agent.plist (v1 persistence mechanism)
Developer ID Saotia Seay (5834W6MYX3) – v1 bystander binary signature revoked by Apple
Malware Version 2
File name: update.pkg (installer package for v2)
MD5: fdd6fb2b1dfe07b0e57d4cbfef9c8149
tasker.app/Contents/MacOS/tasker (bystander Mach-O Intel & M1 binary in v2)
MD5: b370191228fef82635e39a137be470af
specialattributes.s3.amazonaws[.]com (S3 bucket holding version.json for v2)
~/Library/Application Support/verx_updater/verx.sh (v2 script that executes every hour)
/tmp/verx (file containing final v2 payload if distributed)
~/Library/Launchagents/verx.plist (v2 persistence mechanism)
~/Library/Launchagents/init_verx.plist (v2 persistence mechanism)
Developer ID Julie Willey (MSZ3ZH74RK) – v2 bystander binary signature revoked by Apple
Wow-I knew they stopped but had no idea. Every so often something from Adobe pops up and wants me to click to uninstall Adobe. Is that the malware or is it real? It would have a "remind me later" option which I always chose. I didn't want to remove Adobe because I thought some sites still use it. Thanks for the head's up!
To add onto this, Apple Support cites:
1. Prevent launch or execution of malware: App Store or Gatekeeper and Notarization
2. Block malware from running on customer systems: Gatekeeper, Notarization, and XProtect
3. Remediate malware that has executed: MRT
The About this Mac will tell you if it's an M1 Mac. Those are the newest Macs that were released on or after November 10th of last year.
Silver Sparrow attacks x86-64 and M1 macs.
If you read the full report from Red Canary, you will see that there are two versions of this malware.
The first version works on Intel-based Macs the second version works on the M1 chip Macs.
Silver Sparrow targets both Intel and M1 Mac's! Here is a link to Mashable:
https://mashable.com/article/mac-malware-detected-m1-and-intel-chip-silver-sparrow/
I understand that Malwarebytes includes no uninstaller. If this is true, I will not install it.
Already installed after doing a bit more research. Nothing found. I assume you can see info regarding the MacBook Pro 16 I have. Purchased 8/2020.
Thanks !
how do I check to see if my Mac is infected with silver sparrow?
No need for premium. Just set a reminder and open it every couple weeks and do a scan. Free is fine.
Yes 100% malware. I have a full Adobe subscription, so would know about it if it was real...
how to detect silver sparrow
