Silver Sparrow: what is different about the latest Mac malware, and what can you do about it?

Yannis LagogiannisApple, macOS

In the past week, security researchers from Red Canary, aided by the team at Malwarebytes,  published details of a newly discovered Mac-focused malware they have dubbed Silver Sparrow. The malware has already been detected on 39,000 Macs in more than 160 countries across the globe and is able to run natively on both Intel and Apple Silicon devices.

“Silver Sparrow is an activity cluster that includes a binary compiled to run on Apple’s new M1 chips but lacks one very important feature – a payload.” Source: Red Canary

While the existence of malware on the Mac platform is a well-documented and visible reality (those who proclaim otherwise are urged to carefully study the report), the announcement of Silver Sparrow has created quite a stir in the Apple tech community. This has prompted Apple to react swiftly by revoking the certificates used for distribution of the malicious code. 

What is different about Silver Sparrow?

The concerns raised in the media are valid too. This is a sophisticated malware designed to specifically target Macs and is able to run natively on both Intel and M1-based Macs through different binaries leveraging JavaScript, while it has already established an active bot-net spanning tens of thousands of Macs across multiple countries. 

The greatest concern, however, is that little is understood so far regarding Silver Sparrow’s purpose. Infected Macs are seen to contact a control server once per hour, checking for available commands or executable binaries. But the apparent lack of a payload is yet to reveal the purpose of this bot-net. Despite this, the general consensus in the community is that, as the Mac keeps increasing in popularity, those potential high-value targets will fuel the development of even more sophisticated malware, an early view of which we are seeing with Silver Sparrow.

“At this time, we have yet to see the /tmp/verx payload. None of the infected machines have it installed. This means that, as Red Canary said, we have little information on what the intent of this malware is.” Source: Malwarebytes

How can organisations protect their Macs?

Beyond the drama surrounding this new type of Mac-focused malware and its still unknown purpose, remediating against Silver Sparrow appears to be relatively straightforward as long as the appropriate Mac device management and security tools are in place. 

At dataJAR, our strategy towards securing our customers’ devices against Silver Sparrow is to combine the best-of-breed tools at our disposal, to achieve a complete level of protection against this new threat. 

  • On a device level we already have confirmation from our partners Malwarebytes, who have helped the researchers from Red Canary understand Silver Sparrow in depth, that their EDR tool is able to detect and remediate against this new threat.
  • dataJAR Defend, our Mac Security-as-a-Service tool, provides a higher degree of protection at platform level. By fully integrating with Malwarebytes and leveraging the Incident Response functionality, while combining that with advanced on-device automation and our team’s Mac security skills, we can provide organisation-wide detection and remediation for all customers

Finally, for admins who manage their own Jamf Pro environments, we can leverage Jamf Protect’s unparalleled reporting and Threat Prevention features to provide full remediation and security against Silver Sparrow.

If you would like to find out how dataJAR can protect your Mac estate from malware, please get in contact here.