Those detections are primarily clustered in the US, with more than 25,000 unique machines having Silver Sparrow detections. At the time of this writing, we’ve seen 39,080 unique machines with components of Silver Sparrow detected by Malwarebytes. Malwarebytes researchers collaborated with Red Canary researchers on their find, and have collected significant data about the infection at this point. Both of these apps appear to be very simplistic placeholder apps that don’t do anything interesting. This app is named either “tasker” or “updater,” depending on the version of the. pkg file also installs an app into the Applications folder. Separate from the files dropped by the JavaScript, the. If the payload were actually downloaded, it would be launched with the args data as the arguments. Although we know that the script will store the payload at /tmp/verx, we have yet to see any instances of this payload on any infected machines. However, as can be seen from the data, at the time of analysis, the download URL was blank. In this case, the script does exactly that, then exits.įinally, it will try to determine whether there is a newer version of the malware (which will always be the case if the final payload is not yet installed), and if so, it will download the payload from the URL provided in the downloadUrl parameter in the data from the command & control server. From Malwarebytes data, it appears that this is a zero-byte file, and the malware simply uses it as a marker to indicate that it should delete itself. Next, the malware will check for the file ~/Library/._insu. The data it gets back looked something like this at the time of analysis: This script has several functions.įirst, it will contact a command & control server formerly hosted on Amazon AWS.
MALWAREBYTES FOR MAC ENTERPRISE CODE
The malicious JavaScript code installs a launch agent plist file for the current user, which is designed to launch a script named verx.sh once per hour. This means that, if you were to click Continue, but then think better of it and quit the installer, it would be too late.
MALWAREBYTES FOR MAC ENTERPRISE SOFTWARE
The user would then be asked if they want to allow a program to run “to determine if the software can be installed.” pkg files included JavaScript code, in such a way that the code would run at the very beginning, before the installation has really started.
However, we do not know how these files were delivered to the user. We know that the malware was installed via Apple installer packages (.pkg files) named update.pkg or updater.pkg.
This malware is notable in being one of the first to include native code for Apple’s new M1 chips, but what is unknown about this malware is actually more interesting than what is known! Installation Cyber security company Red Canary published findings last week about a new piece of Mac malware called Silver Sparrow.
0 kommentar(er)
