Security : 2 birds for a wormed apple

Last week, researchers in security at RedCanary discovered a malware which had infected about 30.000 Apple Macs worldwide. 

The malware appeared to have 2 known strains, basically similar, at the sligh difference that the latest seems compatible with the new Apple’s M1 ARM chips which will equip the next generation of Apple’s computers. 

But as far as we know, the little malware, now called Silver Sparrow seems to lacking of one special attribute to run its mischief: a payload*.

For more information, you can visit the official page of #redcanary 

* a Payload, is code downloaded and executed on the targeted device.

You want to know if your Mac has been infected ? 

  1. Look for the following files in your computer. 

We recommend you to use the Terminal.app to navigate through the different repertories (with a sudo or root rights to not miss anything suspicious).

And FYI, on Mac you can get the MD5 hash by using your terminal and the command

md5 [your_file]

Common to both malware’s version :

  • ~/Library/._insu
  • /tmp/agent.sh
  • /tmp/version.json
  • /tmp/version.plist

Malware in version 1

  • File name : updater.pkg  with a MD5= 30c9bc7d40454e501c358f77449071aa 
  • File name : updater with a MD5= c668003c9c5b1689ba47a431512b03cc
  • ~/Library/Application Support/agent_updater/agent.sh
  • ~/Library/Launchagents/agent.plist
  • ~/Library/Launchagents/init_agent.plist
  • /tmp/agent

Malware in version 2 :

  • File name: update.pkg with a MD5= fdd6fb2b1dfe07b0e57d4cbfef9c8149
  • File name: tasker.app/Contents/MacOS/tasker with MD5= b370191228fef82635e39a137be470af
  • ~/Library/Application Support/verx_updater/verx.sh
  • ~/Library/Launchagents/verx.plist
  • ~/Library/Launchagents/init_verx.plist
  • /tmp/verx
  1. Search for suspicious processes.

Launch your Activity Monitor.app and search for the following processes.

  • PlistBuddy executing in conjunction with a command line that contains LaunchAgents and RunAtLoad and true
  • sqlite3 executing in conjunction with a command line that contains LSQuarantine
  • curl executing in conjunction with a command line that contains s3.amazonaws.com

Leave a Comment

PAGE TOP