Skip to main content

I just read about this new malware found to have infected 30,000 macs. Here's the link to information: https://redcanary.com/blog/clipping-silver-sparrows-wings/



Has anyone come up with some strategies to find and remove this from macs in their environment?



Thanks for sharing.

Hi,



what do i have to do so that the EA is displayed in my computer administration? I´ve created the EA but i cant see it so i can´t create a smart group... Thank you!





EDIT: GOT IT! just changed to "integer" :-)

We are using the Microsoft Security Center to find infected clients with advanced hunting queries. So far so good, no client showed up so far. Thank you for sharing the additional files / indicators! 🙂

It is highly unlikely that there would be a single process name to block with Jamf. That's a busted methodology for dealing with malware, or even Google-savvy kids.

Can this EA be set as Default for the Script options?

To be more specific, just confirming the EA setup should look like this:



@acornetta Yes, exactly like that

Thank you Nathan, just curious have any folks out here seen this smart group yield a significant number of affected endpoints?

Hi, so once Ive added the extension attribute and made it live how do I push this to clients to start reporting? Should I have written out a separate script? Or EA is fine?

Ahh it has started collection, to confirm I would see this under general > extension attributes and NOT under Extension attributes section on the left hand side of a computer record?

@jonathan.rudge - depends on your settings...

@ncworster



Great EA!



Got it up and running in our environment as well, + set up some webhooks to Teams incase the Smart Group got populated.

Thank you for sharing this script ! Thumbs up !

@ncworster Thank you for sharing your script!

Seems like my post was lost. Thanks @ncworster for the script ! I've adapted it to add several malware description then I have a smart computer group and a policy that ask the end user to take contact with the helpdesk.

Hey @jonathan.rudge
The setting under Inventory Display allows you to set where on a computer's inventory display the results of an EA should appear.





For the sake of completeness: The dropdown menus at Default Mode and Default Theme are only there to customize the syntax highlighting and the appearance of scripts within the Jamf Pro interface. These settings have no effect on the functionality of a script ;-)

@abuehler thanks, all sorted now. Did a test on my own MacBook and it reported back and the smart group alerted! Great script thanks everyone

I'm interested in the real world infection totals. Assuming most here are running at least some sort of Anti Virus and Malware solution.

Yesterday, I used the touch command to create one of the suspect files. The EA and Smart group reported it. Today that file is gone. Could it be the result of the releases of MRT 1.66 and XProtect 2129? I haven't check the logging from our security agents to determine whom is responsible.
Has anyone else observed the files are being deleted?
EDITED - Ignore my statements above. I the test file is in place on my test device.

@jhalvorson Any chance your file that was deleted was in /tmp?

@julhs the file I created was /Users/testusername/Library/Application Support/verx_updater

Hi All - Script work great for me. Can someone share steps how to delete those files through policy?

@agakhan_admin
I think, it could be a good way to write a script and delete the files with the rm - command.

Will the script be like below?



!/bin/zsh



rm -R /Applications/tasker.app
rm -R/tmp/agent.sh
rm -R/tmp/version.json
and so on.....
"/tmp/version.plist"
"/tmp/agent"
"/tmp/verx"
"/Users/$user/Library/._insu"
"/Users/$user/Library/Application Support/agent_updater/agent.sh"
"/Users/$user/Library/Application Support/verx_updater/verx.sh"
"/Users/$user/Library/Application Support/verx_updater"
"/Users/$user/Library/Launchagents/agent.plist"
"/Users/$user/Library/Launchagents/init_agent.plist"
"/Users/$user/Library/Launchagents/verx.plist"
"/Users/$user/Library/Launchagents/init_verx.plist"

Quick & d... modified EA and Removal Script to include all existing user accounts:
Removal Script scoped on infected clients:



#!/bin/bash



# Created 20210222 by Nathan Worster

# edited 20210304 by Rémi Brinckmann

# Portions adapted from @ehemmete 

# Last modified: 20210222



###############

# Variables   #

###############



useraccounts=$(ls /Users/ | grep -v Shared)

result=()

filesFound=0

exitCode=0



for user in $useraccounts

do

suspiciousFiles=(

    "/Applications/tasker.app"

    "/tmp/agent.sh"

    "/tmp/version.json"

    "/tmp/version.plist"

    "/tmp/agent"

    "/tmp/verx"

    "/Users/$user/Library/._insu"

    "/Users/$user/Library/Application Support/agent_updater/agent.sh"

    "/Users/$user/Library/Application Support/verx_updater/verx.sh"

    "/Users/$user/Library/Application Support/verx_updater"

    "/Users/$user/Library/Launchagents/agent.plist"

    "/Users/$user/Library/Launchagents/init_agent.plist"

    "/Users/$user/Library/Launchagents/verx.plist"

    "/Users/$user/Library/Launchagents/init_verx.plist"

)



###############

# Script      #

###############



for suspiciousFile in "${suspiciousFiless@]}"; do

#echo "Looking for $suspiciousFile in User Profile of $user"

if   -e "$suspiciousFile" ]; then

    filesFound=$(expr $filesFound + 1)

    infected+=("$suspiciousFile")

    echo "Found $suspiciousFile - trying to remove it"

    rm -rf "$suspiciousFile"

     if  [ $? -gt 0 ]]; then

        echo "ERROR: Could not remove $suspiciousFile"

        exitCode=1

        infected+=("$suspiciousFile")

     else

        echo "SUCCESS: Removed $suspiciousFile"

        cleaned+=("$suspiciousFile")

     fi

fi

done

done



if   $exitCode -ne 0 ]; then

    echo "Files that could not be deleted: ${infectedd@]}"

else

    echo "All Files removed: ${cleanedd@]}"

fi



exit $exitCode


Modified EA:



#!/bin/bash



# Created 20210222 by Nathan Worster

# edited 20210304 by Rémi Brinckmann

# Portions adapted from @ehemmete 

# Last modified: 20210222



###############

# Variables   #

###############



useraccounts=$(ls /Users/ | grep -v Shared)

result=()

filesFound=0



for user in $useraccounts

do

suspiciousFiles=(

    "/Applications/tasker.app"

    "/tmp/agent.sh"

    "/tmp/version.json"

    "/tmp/version.plist"

    "/tmp/agent"

    "/tmp/verx"

    "/Users/$user/Library/._insu"

    "/Users/$user/Library/Application Support/agent_updater/agent.sh"

    "/Users/$user/Library/Application Support/verx_updater/verx.sh"

    "/Users/$user/Library/Application Support/verx_updater"

    "/Users/$user/Library/Launchagents/agent.plist"

    "/Users/$user/Library/Launchagents/init_agent.plist"

    "/Users/$user/Library/Launchagents/verx.plist"

    "/Users/$user/Library/Launchagents/init_verx.plist"

)



###############

# Script      #

###############



for suspiciousFile in "${suspiciousFilese@]}"; do

#echo "Looking for $suspiciousFile in User Profile of $user"

if f -e "$suspiciousFile" ]; then

    filesFound=$(expr $filesFound + 1)

    result+=("$suspiciousFile")

    fi

done

done



if f $filesFound -ne 0 ]; then

    echo "<result>"Yes: "${resultl@]}</result>"

else

    echo "<result>No</result>"

fi



exit 0

How many people actually found infections?

Reply


Terms & ConditionsCookie settings