How to tell if Silver Sparrow malware is hiding on your Mac

By

How to tell if Silver Sparrow malware is hiding on your Mac
Silver Sparrow could be in your M-series or Intel Mac. Here’s how to find out.
Graphic: Cult of Mac/Red Canary

Some of the first malware targeting both M-series and Intel Macs has affected thousands of computers. At this point, the malicious code — called “Silver Sparrow” — is not dangerous, and Apple may have pulled its teeth. But users of the latest macOS computers still might want to know if their device has it. And the same goes for owners of Intel-based Macs.

Here’s how to find out if your computer has been hit.

A brief background on Silver Sparrow

Silver Sparrow exploits a vulnerability in the macOS Installer JavaScript API as a way to execute dodgy commands. That said, the security pros at Red Canary say that the only payload is a couple of placeholder apps. The version for M-series Macs only displays a message that says, “You did it!”

But, as mentioned, it can affect both Intel and M-series Macs. And that makes it almost unique. Apple introduced the first Macs using its M1 processor in November 2020. They require software to be recompiled for the new architecture. And that includes malware. But hackers clearly weren’t fazed, leading to the creation of Silver Sparrow.

For more information, read Cult of Mac’s news article from Monday, “Apple steps up fight against Silver Sparrow malware that targets M1 Macs.”

Hunting the dratted bird

The first report on Silver Sparrow arrived on February 18, and security researchers continue to gather information. At this point, they don’t even know how the malware is being distributed.

But they do know some of the files it adds to an affected Mac. According to Red Canary, these include:

~/Library/._insu

/tmp/agent.sh

/tmp/version.json

/tmp/version.plist

A search with Finder (the macOS file manager) can locate them. A computer containing these files is apparently infected with Silver Sparrow.

Currently, researchers know of two versions of Silver Sparrow. One version can infect only Intel Macs. The other takes on both Intel and M-series computers. Below are details to look for on each type of computer.

How to find the version for M-series and Intel Macs

The version of the malware that can affect Macs running M-series or Intel comes in through:

update.pkg
MD5: fdd6fb2b1dfe07b0e57d4cbfef9c8149

The payload is:

tasker.app/Contents/MacOS/tasker
MD5: b370191228fef82635e39a137be470af

This version of Silver Sparrow also creates:

specialattributes.s3.amazonaws[.]com

~/Library/Application Support/verx_updater/verx.sh

/tmp/verx

~/Library/Launchagents/verx.plist

~/Library/Launchagents/init_verx.plist

Again, a search with Finder can turn these up on an infected device.

The payload’s Developer ID is Julie Willey (MSZ3ZH74RK). Apple revoked this developer account to help prevent further spread of the Silver Sparrow malware.

How to find the original version of Silver Sparrow for Intel Macs

The first version of Silver Sparrow can only infect Intel-based Macs. It comes in through:

updater.pkg
MD5: 30c9bc7d40454e501c358f77449071aa

The payload is:

File name: updater
MD5: c668003c9c5b1689ba47a431512b03cc

This version of Silver Sparrow also creates:

mobiletraits.s3.amazonaws[.]com

~/Library/Application Support/agent_updater/agent.sh

/tmp/agent

~/Library/Launchagents/agent.plist

~/Library/Launchagents/init_agent.plist

The payload’s binary signature comes from Developer ID Saotia Seay (5834W6MYX3). Apple revoked this developer account, too.