Threat: New activity cluster
Silver Sparrow is a macOS activity cluster with fully functional distribution methods and infrastructure but no final payload.Pairs with this song
Our article introducing Silver Sparrow macOS malware was the most read post on the Red Canary blog last year. Thank goodness our Intelligence team gets along better than the members of Fleetwood Mac.
Editors’ note: While the analysis and detection opportunities remain applicable, this page has not been updated since 2022.
In February 2021, Red Canary discovered an activity cluster we named Silver Sparrow when we identified a strain of macOS malware using a
Since we observed multiple files and components on victim machines, we decided to cluster all the suspicious artifacts under the Silver Sparrow activity cluster, including an unusual
._insu file that seems to instruct the malware to remove itself from an endpoint.
Thanks to our friends at MalwareBytes, we determined that the Silver Sparrow activity cluster affected tens of thousands of macOS endpoints across 164 countries as of February 2021, including high volumes of detection in the United States, the United Kingdom, Canada, France, and Germany. Although we never observed Silver Sparrow delivering additional malicious payloads, it was operationally mature and affected many thousands of machines worldwide.
Overall, Silver Sparrow is interesting and unique because:
- At the time of analysis, its malware was compatible with M1 ARM64 and Intel chipsets. Researchers have uncovered very few threats for the M1 ARM64 architecture because the architecture is young.
- Its infrastructure was hosted on AWS S3, making it hard to block outright. The decision to use AWS infrastructure suggests an operationally mature adversary.
We included some detection opportunities below to help identify Silver Sparrow activity. Also, see the macOS trends page for defense strategies to protect yourself from macOS threats.
PlistBuddy utility manipulating
PlistBuddy command is a built-in tool in macOS that allows administrators to manipulate property list, or plist, files used to configure various parts of the macOS operating system. Silver Sparrow used the command to manipulate
LaunchAgent plists and allow persistence.
PlistBuddy with the command line including
RunAtLoad indicates an adversary is specifically manipulating a
LaunchDaemon’s capability to execute code at boot.
process == 'PlistBuddy' && command_line_includes ('RunAtLoad')
Sqlite3 loading the Quarantine file
The Quarantine feature of macOS prevents certain file types from easily executing after being downloaded from the internet. The system keeps a record of all downloaded files in a SQLITE database at
~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV*. Silver Sparrow malware and other macOS threats commonly query this record using the
sqlite3 command to determine where they were downloaded from to report back to the adversary for metrics (i.e., whether or not the deployment path was successful).
process_name == ('sqlite3') && command_line_includes ('LSQuarantineDataURLString')