Silver Sparrow Malwarebytes

admin 11/22/2021

A new macOS malware known as Silver Sparrow has silently infected almost 30,000 Mac devices with malware whose purpose is a mystery.

Silver Sparrow is a malicious program that aims to infect Mac computers. The security researchers found that this malware has two significantly different versions. Their key difference is the target Mac OS architecture. Malware researchers at Red Canary uncovered a new malware, dubbed Silver Sparrow, that is infecting Mac systems using the latest Apple M1 chip across the world. According to data shared by Malwarebytes, as of February 17, Silver Sparrow had already infected 29,139 macOS endpoints across 153 countries. Named Silver Sparrow, the malware has been seen distributed as two different files named 'updater.pkg' VirusTotal or 'update.pkg' VirusTotal. The only difference seen by Red Canary is that. As Ars Technica reports, security researchers at Malwarebytes and Red Canary discovered a mysterious piece of malware hiding on nearly 30,000 Macs, one designed to deliver an as-yet-unknown.

Silver Sparrow Malwarebytes

In a collaboration between Red Canary, Malwarebytes, and VMware Carbon Black, researchers have found a new Mac malware that exhibits unusual properties, including a component explicitly compiled for the new Apple M1 chip.

Silver Sparrow Malwarebytes Update

According to Malwarebytes, this malware has infected 29,139 Mac devices across 153 countries, with high volumes in the United States, the United Kingdom, Canada, France, and Germany.

Not your typical adware

While Apple has always prided itself over macOS' security, the reality is that the operating system is increasingly targeted by malware, ransomware, and adware.

In a new report by RedCanary, researchers reveal a new malware targeting Mac devices that is unlike most infections developed for the operating system.

Named Silver Sparrow, the malware has been seen distributed as two different files named 'updater.pkg' [VirusTotal] or 'update.pkg' [VirusTotal]. The only difference seen by Red Canary is that the update.pkg includes both an Intel x86_64 and an Apple M1 binary, while the updater.pkg only includes the Intel executable.

Unlike most macOS adware which uses 'preinstall' and 'postinstall' scripts to execute commands or install further malware, Silver Sparrow utilizes JavaScript to execute its commands. The use of JavaScript produces different telemetry that makes it harder to detect malicious activity based on command line arguments.

Using JavaScript, SilverSparrow will create shell scripts executed by the malware to communicate with the command and control servers and create LaunchAgent Plist XML files to execute shell scripts periodically.

The LaunchAgent will connect to the threat actor's command and control server every hour to check for new commands that the malware will execute.

While running, the malware will check for the presence of the ~/Library/._insu file, and if found, will remove itself and all associated files. The researchers have not been able to determine what triggers this kill switch.

Malware's purpose is a mystery

After observing the malware for a week, Red Canary researchers could not see further payloads downloaded and triggered by these hourly checks. Thus the malware's real purpose remains a mystery.

'In addition, the ultimate goal of this malware is a mystery. We have no way of knowing with certainty what payload would be distributed by the malware, if a payload has already been delivered and removed, or if the adversary has a future timeline for distribution,' explains Red Canary's report.

The Intel and Mach-O binaries included with Silver Sparrow seem to be placeholders for an in-development malware as executing them only displays a screen stating 'Hello World' or 'You did it!,' as shown below.

Silver Sparrow Malware Malwarebytes

Unfortunately, Silver Sparrow's distribution also remains a mystery at this time.

'Other than the fact that it gets installed via an installer .pkg file, we have no idea. We don’t know how users would have initially found that installer. In fact, I’m a bit skeptical that it may even still be in distribution, in this form, at least,' Malwarebytes' Thomas Reed told BleepingComputer

How to check for the Silver Sparrow malware

If you use Malwarebytes for Mac, the program was updated over a week ago to detect if the Silver Sparrow malware is installed.

For those who do not use Malwarebytes or would like to check for the malware's presence manually, you can use the following checklist provided by Red Canary.

  • Look for a process that appears to be PlistBuddy executing in conjunction with a command-line containing the following: LaunchAgents and RunAtLoad and true. This analytic helps us find multiple macOS malware families establishing LaunchAgent persistence.
  • Look for a process that appears to be sqlite3 executing in conjunction with a command line that contains: LSQuarantine. This analytic helps us find multiple macOS malware families manipulating or searching metadata for downloaded files.
  • Look for a process that appears to be curl executing in conjunction with a command-line that contains: This analytic helps us find multiple macOS malware families using S3 buckets for distribution.

Silver Sparrow Malwarebytes Free

To perform these steps, you can use the following commands from Terminal:

If there are processes listed in the output, not including the ones above, you should immediately scan your device for malware and inspect it for further compromise.

Related Articles:

Silver Sparrow
Common nameSilver Sparrow
Technical nameVersion 1: updater.pkg; Version 2: update.pkg
Typecomputer virus
Operating system(s) affectedMacOS
FilesizeVersion 1: 53.13 KB; Version 2: 72.08 KB

The Silver Sparrowcomputer virus is malware that runs on x86- and Apple M1-based Macintosh computers.[1][2] Engineers at the cyber security firm Red Canary have detected two versions of the malware in January and February 2021.[3]


Two versions of the malware were reported. The first version (described as the 'non-M1' version) is compiled for Intel x86-64. It was first detected in January 2021.[3] The second version contains code that runs natively on Apple's proprietary M1 processor, and was probably released in December 2020 and discovered in February 2021.[4][3] The virus connects to a server hosted on Amazon Web Services.[5] The software includes a self-destruct mechanism.[1]

As of 23 February 2021, information about how the malware is spread and what system may be compromised is sparse. It is uncertain whether Silver Sparrow is embedded inside malicious advertisements, pirated software, or bogus Adobe Flash Player updaters. Red Canary has theorized that systems could have been infected through malicious search engine results that might have directed them to download the code.[3] The ultimate object of the malware's release is also still unknown.[3]

Mac Os Silver Sparrow

Silver Sparrow is the second malware virus observed to include M1-native code.[6]


As of 23 February 2021, Internet security company Malwarebytes has discovered over 29,000 Macs worldwide running their anti-malware software to be infected with Silver Sparrow.[7] Silver Sparrow infected Macs have been found in 153 countries as of February 17, with higher concentrations reported in the US, UK, Canada, France, and Germany, according to data from Malwarebytes.[1] Over 39,000 Macs were affected in the beginning of March 2021.[8]

On 23 February 2021, a spokesperson of Apple Inc. stated that 'there is no evidence to suggest the malware they identified has delivered a malicious payload to infected users.' Apple also revoked the certificates of the developer accounts used to sign the packages, preventing this way any additional Macs from becoming infected.[9]


  1. ^ abcBusiness, Alexis Benveniste, CNN. 'Nearly 30,000 Macs reportedly infected with mysterious malware'. CNN. Retrieved 2021-02-21.
  2. ^Hollister, Sean (2021-02-21). 'Sophisticated hackers snuck sleeper malware into nearly 30,000 Macs'. The Verge. Retrieved 2021-02-23.
  3. ^ abcde'Silver Sparrow macOS malware with M1 compatibility'. Red Canary. 2021-02-18. Archived from the original on 2021-03-25. Retrieved 2021-03-31.
  4. ^'Mysterious malware found on 30,000 Macs'. 2021-02-22. Retrieved 2021-02-23.
  5. ^'Thousands infected with 'mystery' virus'. NewsComAu. 2021-02-22. Retrieved 2021-02-23.
  6. ^Goodin, Dan (2021-02-20). 'New malware found on 30,000 Macs has security pros stumped'. Ars Technica. Retrieved 2021-02-23.
  7. ^'Mysterious malware discovered on 30,000 new Macs'. The Independent. 2021-02-22. Retrieved 2021-02-23.
  8. ^'macOS Malware Silver Sparrow Affects About 40,000 Macs Running Both Intel and ARM Chips'. CPO Magazine. 2021-03-04. Archived from the original on 2021-03-04. Retrieved 2021-03-28.
  9. ^'Apple Takes Action Against Silver Sparrow Malware Discovered on 30K Infected Macs'. PCMAG. Retrieved 2021-02-24.

Silver Sparrow Malwarebytes Reviews

Retrieved from ''