What is silver sparrow? No, it’s not a Game of Thrones character – did this ship sail? – but a new macOS malware that runs on both Intel- and M1-based Macs. This makes it the second known malware for the latter, but there is a silver lining: researchers discovered the malicious software before it could actually harm your system.

As Red Canary’s Tony Lambert writes:

“… the ultimate target of this malware is a mystery. We cannot know for sure what payload will be distributed by the malware, whether a payload has already been delivered and removed, or whether the adversary has a future schedule for distribution. Based on data that Malwarebytes shared with us, the nearly 30,000 affected hosts did not download what would be the next or last payload. “

Click on Red Canary’s Blog to learn more about the technical details of Silver Sparrow. If you’re curious about whether you’ve got infected, chances are you haven’t, and neither will you – Apple has exposed the problem Developer Certificates Used to sign the package files that trigger the infection. This means that Mac users will not be able to install them if they are using the Mac’s default security settings. (I didn’t find this malware so I can’t check if your Mac is warning you not to install it or just flag it as a malicious app and forbid that.)

However, if you are concerned that you may be infected, think about what you’ve been doing to your system lately. Did a website ask you to download and / or update a software package? Was it something you didn’t want to download or install until a website suggested it? Has this package file been labeled as simple and boring e.g. B. “update.pkg” or “updater.pkg”?

G / O Media can receive a commission

If so, a slight suspicion is justified. While there is no real way to use observable behavior to determine if this malware is on your system – since it is doing nothing right now and it is unclear whether it ever will – you can search for files that the malware is pointing to Your system. Red Canary detects four files that indicate that your system may be infected:

  • ~ / Library /._ insu (empty file that signals the malware to delete itself)
  • /tmp/agent.sh (installation recall shell script executed)
  • /tmp/version.json (file downloaded from S3 to determine execution flow)
  • /tmp/version.plist (version.json converted to a property list)

That lengthy (and incredibly helpful) description Ars Technica’s annotator effect can help you find the bad files, confirm they are problematic, and remove them. Since Malwarebytes worked with Red Canary With the detection data for the analysis and the published piece, chances are good that the free version this popular anti-malware scanner / remover should also be sufficient.

If the current version of the Silver Sparrow app can’t find and remove it, make sure you keep the definitions up to date and run regular scans. I expect it won’t be long before the company releases an update that will rid macOS of this pesky but otherwise stagnant malware.