Silver Sparrow

30,000 witnits and counting.

Get It Try It

There's a tidy piece of Apple malware out there and it's been dubbed Silver Sparrow by the Red Canary group of Denver Colorado.

Silver Sparrow propagates through Apple installer packages or DMGs and it seems to currently lack a payload, having placeholders instead.

One would normally assume one is safe as long as one doesn't authorise anything as root, but some 30,000 witnits in over 150 countries have already been owned.

And, with Apple's unethical trick for privilege escalation introduced over ten years ago for OS X Leopard, all bets are off.



The Red Canary piece by Tony Lambert is well written, easy to follow even for laymen, and it's recommended. Be careful with privilege escalation, Apple installers, and DMGs.

For goodness sake make sure your trusty web browser isn't set to open your downloads automatically, and make sure you open (manually) only what you know should be there.

As of 17 February, Silver Sparrow was detected on 29,139 endpoints in 153 countries.

High concentration was found in the US, the UK, Canada, France, and Germany. What's curious is that Silver Sparrow comes in two versions, the latter version rebuilt for Apple's new M1 processor.



The files themselves are very minimal in size, hovering around 50-70 KB, so they'll be rather unnoticeable. Always check your Downloads directory and be on the lookout for anything you didn't expect to find there.

JavaScript is used in an unusual way, but that ought to be 'neither here nor there' for you the end user. The JavaScript seems to take pains to avoid getting flagged as malware.

Here's an example of a JSON download for Silver Sparrow.

{
    "version": 2,
    "label": "verx",
    "args": "upbuchupsf",
    "dls": 4320,
    "run": true,
    "loc": "~/Library/._insu",
    "downloadUrl": ""
}

Note that the value for 'downloadUrl' is an empty string (for now). But once your launch agent is in place, that location will be checked every hour.

Red Canary included a timeline on Silver Sparrow. It was first detected on 18 August last year. One of the domains listed, specialattributes.com, was registered in December.

Creation Date: 2020-12-05T00:37:43.00Z

The other, mobiletraits.com, was registered back in August 2020.

Creation Date: 2020-08-18T02:10:47.00Z

Red Canary detected Silver Sparrow version 1 on 26 January and detected Silver Sparrow version 2 on 9 February.

Things to look for

Things to look for on disk:

~/Library/._insu
/tmp/agent.sh
/tmp/version.json
/tmp/version.plist

Version 1:

~/Library/Application Support/agent_updater/agent.sh
/tmp/agent <-- Payload
~/Library/LaunchAgents/agent.plist
~/Library/LaunchAgents/init_agent.plist

Version 2:

~/Library/Application Support/verx_updater/verx.sh
/tmp/verx <-- Payload
~/Library/LaunchAgents/verx.plist
~/Library/LaunchAgents/init_verx.plist

[Note that the paths :~/Library/Application Support and ~/Library/LaunchAgents can preclude the obstacle of requiring authorisation.]

Red Canary also note two Apple developer IDs connected with the malware.

Saotia Seay (5834W6MYX3)
Julie Willey (MSZ3ZH74RK)

So much for code-signing and Apple security.

The two installer packages Red Canary detected were updater.pkg (version 1) and tasker.pkg (version 2).

This should be further proof that truly open source operating systems are to be preferred. It's one thing for Apple to embrace Unix and quite another to actually practice it.

See Also
Coldspots: .SoftwareUpdateAtLogout

About Rixstep

Stockholm/London-based Rixstep are a constellation of programmers and support staff from Radsoft Laboratories who tired of Windows vulnerabilities, Linux driver issues, and cursing x86 hardware all day long. Rixstep have many years of experience behind their efforts, with teaching and consulting credentials from the likes of British Aerospace, General Electric, Lockheed Martin, Lloyds TSB, SAAB Defence Systems, British Broadcasting Corporation, Barclays Bank, IBM, Microsoft, and Sony/Ericsson.

Rixstep and Radsoft products are or have been in use by Sweden's Royal Mail, Sony/Ericsson, the US Department of Defense, the offices of the US Supreme Court, the Government of Western Australia, the German Federal Police, Verizon Wireless, Los Alamos National Laboratory, Microsoft Corporation, the New York Times, Apple Inc, Oxford University, and hundreds of research institutes around the globe. See here.

All Content and Software Copyright © Rixstep. All Rights Reserved.