Last week, a malware dubbed “Silver Sparrow” was discovered by Red Canary. The malware targets macOS machines with either x86 or M1 chips.

Silver Sparrow installations were found in approximately 30K macOS endpoints across 153 countries, mainly the US, UK, Canada, France, and Germany, a fact that could indicate a large-scale campaign.

Hunters’ security research team reviewed the discovered malware and developed a new set of TTP-based detections that can be applied to detect Silver Sparrow, as well as attacks that use similar methodologies to the ones applied by this adversary.

Why Should Experts Care about Silver Sparrow?
  1. Everyone enjoys a fine mystery – While the cyber security community still investigates this malware, several information gaps remain unfilled, and offer some interesting hints to be further investigated:
    • The initial infection vector is still unknown. There are suspicions that the attackers used search engines to direct victims to download the malware but at this point the evidence is limited and therefore it is hard to clearly identify the infection vector.
    • The motivation and the purpose of the attacker also remain to be determined. No evidence of malicious payload execution was found on the observed macOS machines. The likely conclusion is that this was either a testing campaign for new malware, or a spearhead for future campaigns (for example: by selling parts of the botnet to 3rd-parties.)
    • We don’t know who’s behind the campaign. There are no conclusive indicators that would allow us to attribute the creator of this malware.
  2. Is it a bird? An airplane? No, it’s an Apple-targeting malware! – Apple operating systems are world-renowned for their security, among other things. But the fact is that Silver Sparrow joins a recently detected malware dubbed “GoSearch22” that also targets Apple M1 chips. It is thus possible that we are embarking on a series of macOS and iOS malware.
  3. A well-prepared adversary – While the M1 chip had already seen Linux ported to it earlier this year, Apple’s chip is brand new, first announced on October 2020, which means that either the adversary had Apple’s M1 hardware and/or OS before it was issued to the market, or it took them three months to reverse-engineer the product, adjust a piece of malware or write it from scratch, and deploy it around the globe. Alternatively, the attacker might have leveraged previous knowledge from the M1 Linux port. Those are signs of a potentially powerful adversary, or at least one that is fast to adapt.
  4. A potential threat to enterprise – At this point, we’re only aware of approximately 30,000 Mac machines being affected by the malware. While this is a limited number of infections, we do not know the goal of this campaign and its target. The growing use of macOS across enterprise, coupled with the decrease in network protection capabilities due to remote work during the pandemic can make this a threat for companies and should be addressed
Technical Overview:
Two separate variants of Silver Sparrow were uncovered by Red Canary. The major difference between them is that while one variant contained a dedicated x86_64 Mach-O binary, the other included binaries for both the x86_64 and Apple’s M1 architectures. Did we mention a mystery? Those binaries were called “bystander binaries” by the researchers; they don’t do much: Upon execution, the x86_64 binary simply displays the message “Hello, World!” while the M1 binary shows “You did it!”.
Silver Sparrow Message

Messages displayed by Silver Sparrow binaries as found on Red Canary's blog post

Both variants are delivered via an installation package and execute code in the distribution phase using the macOS Installer JavaScript API. Continuing the malware’s novelty, using JavaScript code “is a technique that we hadn’t previously encountered in other macOS malware” said Red Canary’s researchers.

After installation, a shell script executes and communicates, once an hour, with a C2 server hosted on an AWS S3 bucket looking for a further payload to download and execute. The C2 communication is to the same URL the malware was downloaded from. An extra feature that was seen is a self-destruction mechanism, looking for a specific indicator for killing itself.

Hunters’ Proposed TTPs Detections:

Apple revoked the certificates of the developer accounts used to sign the packages, as a way to prevent further infections, and Amazon reacted by shutting down their internal domains so the C2 activity won’t work as well. However, we still recommend checking all macOS machines for potential infection with the malware.

Hunters developed some TTP-based detections of Silver Sparrow, as described below. We recommend security teams to adopt the TTPs' detections below, in addition to the IOCs used to block this execution by a variety of security products, as it can help spot attackers using the same techniques.

Detections for these TTPs were added to the Hunters’ XDR platform and all Hunters’ customer environments were reviewed for the presence of Silver Sparrow IOCs and the TTPs described below.

  1. Plist, not your buddy – Silver Sparrow creates a LaunchAgent by a PlistBuddy process, the first indicator of malicious activity. We initiated a research on PlistBuddy and how to produce a detector from it.
    • We queried raw data looking for PlistBuddy commands executed. As you can see in the picture below, there are large amounts of legitimate PlistBuddy commands.
Hunters' PlistBuddy Query

Query looking for PlistBuddy commands in raw data

    • Next, we inspected the command line by extracting the Plist file name, generating a list showing potentially malicious processes running on a small number of machines. In addition, we further investigated the devices which created the Plist file, looking for the frequency of the process in the organization and examining it against a variety of threat intelligence sources. In the end, with our scoring module, this “threat lead” receives a score.
Extracting Plist File NameExtracting Plist File Name
    • The detection to be added looks for PlistBuddy commands executing unique processes on singular hosts.

  1. Malicious use of curl – We know that attackers usually use curl as an effective tool for different purposes. In this case, the curl command was used to communicate with the original package file download URL, referring to the AWS S3 site.
    • We queried our data looking for curl executions.
Query for curl executions

Query for curl executions

    • After realizing that the noise is enormous we inspected, extracted the domain name, and executed this query looking for malicious indicators:

AND COMMAND_LINE like any (‘% > %’, ‘%-o /tmp%’, ‘%-p %’,’%-Q %’,’%–output%’,’%-fO%’)

    • The results show only 12 domains that might not be legitimate, which analysts can easily go through. Our further investigation mechanism compared the frequency of accessing these domains in the organization, performed a reputation test, and eventually scored the threat lead.
12 suspicious domains

12 suspicious domain that are easy to go through

    • The detection to be added to Hunters XDR looks for unique curl commands referring to suspicious domains.
  • 3. /tmp – Lastly, Silver Sparrow executed the “verx” file from /tmp, an action which is not common among MacOS users, a kind of TTP that is also being covered.
/tmp

Want to learn more about Silver Sparrow and prepare for the next attack? Let us know.