Once again a silent malware has reminded us that nothing is impenetrable – find out about the Silver Sparrow attack on almost 300k Mac devices!
Since its debut, the Apple Company has always been recognized for being one of the strongest technology companies in the world market; with approximately 1.7 billion devices sold worldwide, we can say that we all trust Apple and its operating system IOS and Mac OS. But many times a strong operating system does not necessarily mean impenetrable; as the news dawned that a malware went unnoticed and infected almost 300k Mac devices; so read on and find out about the attack of this malware known as Silver Sparrow.
Let’s get to know a little about Mac OS and its security
Mac OS stands for Macintosh Operating System; which is an operating system created by Apple for its line of computers. One of the most used operating systems in the world after Windows; it is recognized for its security against threats mainly, since it has a state-of-the-art antivirus software. It also has technology such as execution disabling (XD), address space layout randomization (ASRL) and system integrity protection (SIP). In the same way, all applications, documents, folders, or any action you perform, must be previously authorized by you; as well as access to camera, microphone, downloads, etc.
In the same way, Mac OS has FileVault2 which is a data encryption system; so it ensures that all your information is safe. FileVault2 has the ability to encrypt your computer’s hard drive, using XTS-AES 128 encryption. From the browser point of view, this is Safari par excellence; it takes care of protecting your privacy from technologies such as smart tracking, as it has the ability to identify unauthorized trackers; it also creates weekly reports that can show you in detail the way Safari keeps you protected.
In addition to that, remember that all passwords used are protected in iCoud and any interference or password recovery attempt will be alarmed by Safari. It also has trackers to find your Mac in case you have lost it, even if it is offline or in sleep mode. There are apart from these many security restrictions that Apple has increased over the years; so that in this way they have managed to position themselves in the market as one of the most secure technology companies; due to its closed circuit and is known by many as an impenetrable security.
So, if it is so impenetrable, how did they manage to hack it?
Not much is really known yet about how they were able to penetrate the devices; what is known is that according to a report by Red Canary earlier this month, they came across a strain of macOS malware that used a LaunchAgent to test its persistence. This is nothing new.
However, that investigation found that this malware did not exhibit the behaviors normally expected of malware that typically targets macOS systems. The novelty of this downloader arises primarily from the means by which JavaScript is used for execution; something I had not previously encountered in macOS alternative malware. Also involved in this investigation was Malwarebyte; which determined that the total number of infected Mac devices was 29,139 devices in 57 different countries.
The way in which this malware was introduced into the system is somewhat suspicious; since normally when penetrating a system it waits for the attackers’ commands to carry out the objective of the attack; however, Silver Sparrow never received these commands; so the target is unknown. Not for this reason we should not think that it was “a failed attack” but it may be more dangerous than it seems; since by being able to avoid acting within the system, it obstructs the investigators from studying its target; which makes it much more sophisticated.
How can we know if our computer is infected with Silver Sparrow?
First you need to keep in mind that it may not be easy to identify this malware, because as such it does not perform any action while inside the system; so sometimes it may not be detected or it may not interfere with the functions of your computer. However it is important to get rid of it; due to the fact that we do not know the extent of this malware and whether or not it can bring more problems in the future. Now you may suspect that your computer is infected, due to certain indicators such as; an advertisement has appeared telling you to download a Mac update; or certain downloaded files have appeared that you don’t remember downloading.
Red Canary refers that there are 4 files that may indicate that your computer may be infected, these are:
In version 1 and 2:
- ~ / Library /._ insu
- /tmp/agent.sh
- /tmp/version.json
- /tmp/version.plist
The way you can search for this malicious installer according to Red Canary’s instructions is:
Search for a running process with the name “PlistBuddy” in conjutno with the command line containing the following names: “LaunchAgents” and “RunAtLoad” plus “true”. This code will help you to identify various malwares so that Mac OS can set an awareness of the “LaunchAgent” line.
Same as the previous way you can search for the process named “Sqlite3” running with the command line containing the names “LSQuarantine” this process will help you to identify different malwares so that Mac OS system can identify the ones that manipulate the downloaded files and the ones that search for metadata.
Finally, you can look for the “curl” process which runs along with the command containing “S3.amazonaws.com”. This option will help to show Mac Os the malware that uses S3 buckets for distribution.