In February 2021, Red Canary discovered an activity cluster we named Silver Sparrow when we identified a strain of macOS malware using a
Since we observed multiple files and components on victim machines, we decided to cluster all the suspicious artifacts under the Silver Sparrow activity cluster, including an unusual
._insu file that seems to instruct the malware to remove itself from an endpoint.
Thanks to our friends at MalwareBytes, we determined that the Silver Sparrow activity cluster affected tens of thousands of macOS endpoints across 164 countries as of February 2021, including high volumes of detection in the United States, the United Kingdom, Canada, France, and Germany. Although we never observed Silver Sparrow delivering additional malicious payloads, it was operationally mature and affected many thousands of machines worldwide.
Overall, Silver Sparrow is interesting and unique because:
- At the time of analysis, its malware was compatible with M1 ARM64 and Intel chipsets. Researchers have uncovered very few threats for the M1 ARM64 architecture because the architecture is young.
- Its infrastructure was hosted on AWS S3, making it hard to block outright. The decision to use AWS infrastructure suggests an operationally mature adversary.
We included some detection opportunities below to help identify Silver Sparrow activity. Also, see the macOS trends page for defense strategies to protect yourself from macOS threats.