silver sparrow

About Silver Sparrow

Security researchers have spotted a new malware operation targeting Mac devices that has silently infected almost 30,000 systems. Named Silver Sparrow, the malware was discovered by security researchers from Red Canary and analyzed together with researchers from Malwarebytes and VMWare Carbon Black.

“According to data provided by Malwarebytes, Silver Sparrow had infected 29,139 macOS endpoints across 153 countries as of February 17, including high volumes of detection in the United States, the United Kingdom, Canada, France, and Germany,” Red Canary’s Tony Lambert wrote in a report published last week.

But despite the high number of infections, details about how the malware was distributed and infected users are still scarce, and it’s unclear if Silver Sparrow was hidden inside malicious ads, pirated apps, or fake Flash updaters —the classic distribution vector for most Mac malware strains these days.

Furthermore, the purpose of this malware is also unclear, and researchers don’t know what its final goal is. Once Silver Sparrow infects a system, the malware just waits for new commands from its operators — commands that never arrived during the time researchers analyzed it, hoping to learn more of its inner workings prior to releasing their report. But this shouldn’t be interpreted as a failed malware strain, Red Canary warns. It may be possible that the malware is capable of detecting researchers analyzing its behavior and is simply avoiding delivering its second-stage payloads to these systems.

The large number of infected systems clearly suggests this is a very serious threat and not just some threat actor’s one-off tests.

What You Can Do

Avoid downloading software packages or updates from websites you are unfamiliar with.

• Were you prompted by a website to download a software package and/or update?
• Was it something you weren’t intending to download or install until the website suggested you should?
• Was the package file named something simple and dull, like “update.pkg” or “updater.pkg?”

If you said yes to any of these, please contact us and we’ll take a look at it.

Contact Us