Silver Sparrow Malware

psherotov
Contributor

I just read about this new malware found to have infected 30,000 macs. Here's the link to information: https://redcanary.com/blog/clipping-silver-sparrows-wings/

Has anyone come up with some strategies to find and remove this from macs in their environment?

Thanks for sharing.

58 REPLIES 58

psherotov
Contributor

According to the article these are files to look for:

~/Library/._insu (empty file used to signal the malware to delete itself)
/tmp/agent.sh (shell script executed for installation callback)
/tmp/version.json (file downloaded from from S3 to determine execution flow)
/tmp/version.plist (version.json converted into a property list)

mschroder
Valued Contributor

I have to admit I find it very strange that only files in /tmp are supposed to indicate the presence of the malware - or the file that had instructed the malware to delete itself.

monogrant
Contributor

The files in /tmp are indicators of compromise, not the staged malware. Review the "Detection opportunities" section.

This is where Jamf Pro being able to block apps by signature, not just execution process name, would be helpful.

Obviously we can't block them by name using this...

Version 1
File name: updater.pkg (installer package for v1)
MD5: 30c9bc7d40454e501c358f77449071aa

File name: updater (bystander Mach-O Intel binary in v1 package)
MD5: c668003c9c5b1689ba47a431512b03cc

Verison 2
File name: update.pkg (installer package for v2)
MD5: fdd6fb2b1dfe07b0e57d4cbfef9c8149

tasker.app/Contents/MacOS/tasker (bystander Mach-O Intel & M1 binary in v2)
MD5: b370191228fef82635e39a137be470af

The signatures have been revoked by Apple. I'm looking for confirmation if this has been added to XProtect by Apple. I have to assume so, but want validation.

acornetta
New Contributor

Is there any recommended method of searching for these tmp files across enrolled devices?

pete_c
Contributor III

Try SilentKnight and/or SUS Inspector to check for XProtect status and updates.

mschroder
Valued Contributor

@acornetta One way would be to create an Extension Attribute for this, but then you have to wait that it gets populated.

howie_isaacks
Valued Contributor II

An extension attribute seems to be the best way to find out if any of our Macs were infected. We could also temporarily setup inventory updates to run at check-in instead of daily to help populate the Mac inventories faster. We can also change the setting for what folders are searched when inventories are ran. I did this when we deployed SentinelOne since it doesn't install into the Applications folder.

mark_mahabir
Valued Contributor

We are using this EA, courtesy of @ehemmete on Slack.

#!/bin/bash
globalFilesToLookFor=(
    "/tmp/agent.sh"
    "/tmp/version.json"
    "/tmp/version.plist"
    "/tmp/agent"
    "/tmp/verx"   
)
userFilesToLookFor=( # relative to ~/
    "Library/._insu"
    "Library/Application Support/agent_updater/agent.sh"
    "Library/Launchagents/agent.plist"
    "Library/Launchagents/init_agent.plist"
    "Library/Application Support/verx_updater/verx.sh"
    "Library/Launchagents/verx.plist"
    "Library/Launchagents/init_verx.plist"
)
result=()
filesFound=0
for globalFile in "${globalFilesToLookFor[@]}"; do
    #echo "Looking for $globalFile"
    if [ -e "$globalFile" ]; then
        filesFound=$(expr $filesFound + 1)
        result+=("$globalFile")
    fi
done
allUsers=$(dscl . list /Users UniqueID | awk '$2 >= 500 {print $1}')
for username in $allUsers; do
    homeDir=$(dscl . read /Users/"$username" NFSHomeDirectory | awk -F ": " '{print $2}')
    for userFile in "${userFilesToLookFor[@]}"; do
        #echo "Looking in $homeDir for $userFile"
        if [ -e "${homeDir}/${userFile}" ]; then
            filesFound=$(expr $filesFound + 1)
            result+=("$userFile")
        fi
    done
done
if [ $filesFound -ne 0 ]; then
    echo "<result>${result[@]}</result>"
else
    echo "<result>None</result>"
fi

DBIAdmin
New Contributor II

Just looking to understand how this EA works. So once I create the EA? Would I create a smart group based on the criteria of this EA to place the systems in the group letting me know if its infected. Thank you in advance.

walt
Contributor III

@DBIAdmin You can create an advanced search or smart group to report devices that are infected, something along the lines of EA 'is not' 'None' and 'is not' 'blank' or some other logic depending on how you configure the EA

howie_isaacks
Valued Contributor II

Thanks @mark.mahabir !!! I'm going to give this a try. I was just now trying to write something.

elund
New Contributor III

Here are a couple other SilverSparrow directories to watch for-- /Applications/tasker.app
/private/tmp/version.plist
/User/firstlast/Library/Application Support/verx_updater

howie_isaacks
Valued Contributor II

I'm trying to figure out how to craft a smart group using the results of this EA. I manually created a file called "init_verx.plist" and placed it at ~/Library/LaunchAgents. The EA detects it. What I was looking for was an integer. That's what the EA seems to use. This is what I see in my machine inventory. I assume if the other files were present, I would see those too.
2b670e64b4e94ca18c43cb898352cd07

ncworster
New Contributor III

Hey @howie_isaacks,

Here's the EA I'm using, partially adapted from the @ehemmete EA that @mark.mahabir posted above. My results add a "Yes: " to the list of offending files so you can configure a Smart Group like in the image I've posted below.

#!/bin/bash

# Created 20210222 by Nathan Worster
# Portions adapted from @ehemmete 
# Last modified: 20210222

###############
# Variables   #
###############

user=`ls -la /dev/console | cut -d " " -f 4`
result=()
filesFound=0
suspiciousFiles=(
    "/Applications/tasker.app"
    "/tmp/agent.sh"
    "/tmp/version.json"
    "/tmp/version.plist"
    "/tmp/agent"
    "/tmp/verx"
    "/Users/$user/Library/._insu"
    "/Users/$user/Library/Application Support/agent_updater/agent.sh"
    "/Users/$user/Library/Application Support/verx_updater/verx.sh"
    "/Users/$user/Library/Application Support/verx_updater"
    "/Users/$user/Library/Launchagents/agent.plist"
    "/Users/$user/Library/Launchagents/init_agent.plist"
    "/Users/$user/Library/Launchagents/verx.plist"
    "/Users/$user/Library/Launchagents/init_verx.plist"
)

###############
# Script      #
###############

for suspiciousFile in "${suspiciousFiles[@]}"; do
echo "Looking for $suspiciousFile"
if [ -e "$suspiciousFile" ]; then
    filesFound=$(expr $filesFound + 1)
    result+=("$suspiciousFile")
    fi
done

if [ $filesFound -ne 0 ]; then
    echo "<result>"Yes: "${result[@]}</result>"
else
    echo "<result>No</result>"
fi

exit

975a6005b3504183be4350af273fd443

howie_isaacks
Valued Contributor II

@ncworster Thank you! I need to learn better how to write extension attributes.

scottb
Honored Contributor

@ncworster - thx for that!

DBIAdmin
New Contributor II

@walt Thanks... I was able to figure it out. I created a couple test files in the directory to test it and it worked like a charm.

howie_isaacks
Valued Contributor II

The EA from @ncworster worked great. It picked up all of the test files that I created. I setup a smart group that sends an email when a Mac becomes a member of the group.

jwojda
Valued Contributor II

Thanks for all your help! Anybody with copies of the malware able to identify the process name for the SilverSparrow malware to add to the restricted software?

irobinso
New Contributor III

On a related note, once we've used an extension attribute to detect the presence of the malware, is the remediation to simply delete those files? Or is a more thorough process required? I'm sure it would be a good idea to run a deeper malware scan on any affected devices, but I'm mostly curious about removing this specific piece of malware.

donmontalvo
Esteemed Contributor III

So far reports show it is benign, and pretty sure Apple is going to update XProtext and MRT soon.

--
https://donmontalvo.com

ncworster
New Contributor III

We're removing all the aforementioned files, but it's not actually doing anything and appears to be benign so far.

howie_isaacks
Valued Contributor II

Benign or not, I consider them to be hostile if they appear on someone's Mac uninvited.

ncworster
New Contributor III

Oh, undoubtedly! We're treating this as a hostile threat.

support-mg
New Contributor II

Super helpful to borrow the work here during what have been ovtherwise busy days. The scripts here work like a charm in my testing. THANKS!! like @howie_isaacks - the machine holding my test infection file poped once the EA's loaded. In the meantime I used a couple of policies to delete the core bits of the files. Now, like @jwojda --- hoping for a process name(s) to show up in a thread somewhere vs. playing whack-a-mole on what is sure to be a moving target of file names and locations. -- on related news, this post over at Objective-See is sobering news of AntiVirus missing known malware when it's been updated to run on Arm64/M1. It made the news cycle but didn't bubble up as much as the SilverSparrow news. The upshot: 'Specifically, we highlighted a Pirrit variant (GoSearch22.app) ... And while the x86_64 and arm64 code appears logically identical (as expected), we showed that defensive security tools may struggle to detect the arm64 binary' – Here's a link to the full post

mickl089
Contributor III

Hi,

what do i have to do so that the EA is displayed in my computer administration? I´ve created the EA but i cant see it so i can´t create a smart group... Thank you!

2875ebdf6239423c8294372ddefa7216

EDIT: GOT IT! just changed to "integer" :-)

whitebeer
Contributor

We are using the Microsoft Security Center to find infected clients with advanced hunting queries. So far so good, no client showed up so far. Thank you for sharing the additional files / indicators! :)

barnesaw
Contributor III

It is highly unlikely that there would be a single process name to block with Jamf. That's a busted methodology for dealing with malware, or even Google-savvy kids.

acornetta
New Contributor

Can this EA be set as Default for the Script options?

acornetta
New Contributor

To be more specific, just confirming the EA setup should look like this:

62c7858f774b495a86aa3c131ec256f7

ncworster
New Contributor III

@acornetta Yes, exactly like that

acornetta
New Contributor

Thank you Nathan, just curious have any folks out here seen this smart group yield a significant number of affected endpoints?

jonathan_rudge
New Contributor III

Hi, so once Ive added the extension attribute and made it live how do I push this to clients to start reporting? Should I have written out a separate script? Or EA is fine?

jonathan_rudge
New Contributor III

Ahh it has started collection, to confirm I would see this under general > extension attributes and NOT under Extension attributes section on the left hand side of a computer record?

scottb
Honored Contributor

@jonathan.rudge - depends on your settings...

fredrik_virding
Contributor

@ncworster

Great EA!

Got it up and running in our environment as well, + set up some webhooks to Teams incase the Smart Group got populated.

Anonymous
Not applicable

Thank you for sharing this script ! Thumbs up !

MartinM64
New Contributor II

@ncworster Thank you for sharing your script!

hepvd
Contributor

Seems like my post was lost. Thanks @ncworster for the script ! I've adapted it to add several malware description then I have a smart computer group and a policy that ask the end user to take contact with the helpdesk.