Threat: New activity cluster
Silver Sparrow
Silver Sparrow is a macOS activity cluster with fully functional distribution methods and infrastructure but no final payload.
Pairs with this song Threat Sounds
Our article introducing Silver Sparrow macOS malware was the most read post on the Red Canary blog last year. Thank goodness our Intelligence team gets along better than the members of Fleetwood Mac.
Editors’ note: While the analysis and detection opportunities remain applicable, this page has not been updated since 2022.
Analysis
In February 2021, Red Canary discovered an activity cluster we named Silver Sparrow when we identified a strain of macOS malware using a LaunchAgent to establish persistence. Distributed via downloads from AWS S3 buckets, malware dropped by Silver Sparrow relies on installation through macOS PKG files. We analyzed two versions of Silver Sparrow malware: The first version contained a Mach-O binary compiled for Intel x86_64 architecture only, and the second version included a Mach-O binary compiled for Intel x86_64 and M1 ARM64 architectures. The downloader was novel because of the way it used JavaScript for execution and the appearance of a related binary compiled for Apple’s new M1 ARM64 architecture. During installation, the malware executed JavaScript commands to orchestrate the creation of files and scripts for persistent execution. These files attempted to download a future payload determined by a file from an additional S3 bucket retrieved every hour.
Since we observed multiple files and components on victim machines, we decided to cluster all the suspicious artifacts under the Silver Sparrow activity cluster, including an unusual ._insu file that seems to instruct the malware to remove itself from an endpoint.
Thanks to our friends at MalwareBytes, we determined that the Silver Sparrow activity cluster affected tens of thousands of macOS endpoints across 164 countries as of February 2021, including high volumes of detection in the United States, the United Kingdom, Canada, France, and Germany. Although we never observed Silver Sparrow delivering additional malicious payloads, it was operationally mature and affected many thousands of machines worldwide.
Overall, Silver Sparrow is interesting and unique because:
- At the time of analysis, its malware was compatible with M1 ARM64 and Intel chipsets. Researchers have uncovered very few threats for the M1 ARM64 architecture because the architecture is young.
- Its installer packages leverage the macOS Installer JavaScript API to execute suspicious commands. This is the first malware we’ve seen do this.
- Its infrastructure was hosted on AWS S3, making it hard to block outright. The decision to use AWS infrastructure suggests an operationally mature adversary.
Take action
We included some detection opportunities below to help identify Silver Sparrow activity. Also, see the macOS trends page for defense strategies to protect yourself from macOS threats.
Detection opportunities
PlistBuddy utility manipulating LaunchAgent
The PlistBuddy command is a built-in tool in macOS that allows administrators to manipulate property list, or plist, files used to configure various parts of the macOS operating system. Silver Sparrow used the command to manipulate LaunchAgent plists and allow persistence. PlistBuddy with the command line including RunAtLoad indicates an adversary is specifically manipulating a LaunchAgent or LaunchDaemon’s capability to execute code at boot.
process == 'PlistBuddy'
&&
command_line_includes ('RunAtLoad')Sqlite3 loading the Quarantine file
The Quarantine feature of macOS prevents certain file types from easily executing after being downloaded from the internet. The system keeps a record of all downloaded files in a SQLITE database at ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV*. Silver Sparrow malware and other macOS threats commonly query this record using the sqlite3 command to determine where they were downloaded from to report back to the adversary for metrics (i.e., whether or not the deployment path was successful).
process_name == ('sqlite3')
&&
command_line_includes ('LSQuarantineDataURLString')