How To Find and Remove The New “Silver Sparrow” macOS Malware

How To Find and Remove The New “Silver Sparrow” macOS Malware

What’s Silver Sparrow, you ask? 

In case you missed it, Silver Sparrow is a new strand of a pesky macOS virus that has specifically been designed to run on new M1-based Macs but can run on Intel as well.

Researchers at Red Canary, a reputable cybersecurity firm, who discovered the malware say it wasn’t used in any attack yet, but it could still unleash malicious payloads in the future. 

In case you’d like to know more, we wrote on this story yesterday and detailed the nitty-gritty technical details of Silver Sparrow and how the researchers managed to uncover it. 

Apple has suspended the developer certificates of the user accounts which were used to sign the package files with the malware. This means that no one will be able to install it if they’re using Mac’s default security settings. 

Even so, researchers at Red Canary advise everyone to check whether their machine has been infected before Apple had taken action.

Since Silver Sparrow is not doing anything at the moment, according to the researchers, there’s no way to detect it on your system based on observable behavior. Though, you can look around for certain files of the malware on your system. 

Red Canary researchers specify four files that may suggest your system had been compromised:

  • ~/Library/._insu (empty file used to signal the malware to delete itself)
  • /tmp/ (shell script executed for installation callback)
  • /tmp/version.json (file downloaded from from S3 to determine execution flow)
  • /tmp/version.plist (version.json converted into a property list)

Since Malwarebytes team was involved in detecting Silver Sparrow, they probably have a fix, so try using the free version of Malwarebytes anti-malware tool by all means.

If that didn’t work, try this somewhat lengthy solution suggested by a user effgee in a comment on an ArsTechnica article.

Mac computers in some 153 countries had been infected, Red Canary says – mostly in the United States, United Kingdom, Canada, France, and Germany. 

“To me, the most notable [thing] is that it was found on almost 30K macOS endpoints… and these are only endpoints the MalwareBytes can see, so the number is likely way higher,” Patrick Wardle, a macOS security expert, wrote in an Internet message. “That’s pretty widespread… and yet again shows the macOS malware is becoming ever more pervasive and commonplace, despite Apple’s best efforts.”

Sounds like a good chance that you will find the virus on your machine. 

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.