Find and Remove the New Silver Sparrow macOS Malware

What’s Silver Sparrow? No, it’s not a Game of Thrones character—has that ship sailed?—but rather a new piece of macOS malware that runs on both Intel and M1-based Macs. That makes it the second piece of known malware for the latter, but there’s a silver lining: Researchers discovered the malicious software before it had a chance to actually harm your system.

As Red Canary’s Tony Lambert writes:

“…the ultimate goal of this malware is a mystery. We have no way of knowing with certainty what payload would be distributed by the malware, if a payload has already been delivered and removed, or if the adversary has a future timeline for distribution. Based on data shared with us by Malwarebytes, the nearly 30,000 affected hosts have not downloaded what would be the next or final payload.”

Click on over to Red Canary’s blog if you want to get into the nitty-gritty technical details of Silver Sparrow. If you’re curious about whether you’ve been infected, odds are you haven’t, nor will you be going forward—Apple has suspended the developer certificates used to sign the package files that start the infection, meaning that Mac users will be unable to install it if they’re using the Mac’s default security settings. (I haven’t found said malware, so I can’t verify whether your Mac will warn you about not installing it, or simply mark it as a malicious app and forbid you from doing so.)

Nevertheless, if you’re concerned that you might have been infected, think about what you’ve done with your system lately. Were you prompted by a website to download a software package and/or update? Was it something you weren’t intending to download or install until a website suggested you should? Was said package file named something simple and dull, like “update.pkg” or “updater.pkg?”

If so, a little suspicion is warranted. While there’s no real way to detect whether said malware is on your system based on observable behavior—since it’s not doing anything at the moment, and it’s unclear if it ever will—you can go hunting around for files the malware drops on your system. Red Canary notes four files that suggest your system may be infected:

  • ~/Library/._insu (empty file used to signal the malware to delete itself)
  • /tmp/agent.sh (shell script executed for installation callback)
  • /tmp/version.json (file downloaded from from S3 to determine execution flow)
  • /tmp/version.plist (version.json converted into a property list)

This lengthy (and incredibly helpful) writeup from Ars Technica commenter effgee will help you find the offending files, confirm they’re problematic, and remove them. Since Malwarebytes worked with Red Canary on detection data for its analysis and published piece, odds are good that using the free version of that popular anti-malware scanner/remover should be sufficient, too.

If the current version of the app doesn’t find and remove Silver Sparrow, make sure you keep its definitions updated—and that you’re running regular scans. I expect it won’t be long before the company issues an update that scrubs macOS clean of this pesky, but otherwise stagnant malware.