A piece of Mac malware was discovered and recently made the news. It’s been dubbed “Silver Sparrow” but researchers don’t know what it does. Right now we know that Malwarebytes can detect it, and other anti-malware vendors will likely be updated soon.
Finding Silver Sparrow
There are files you can discover on your own that are indicators of a Silver Sparrow infection. These files are
- ~/Library/._insu (empty file used to signal the malware to delete itself)
- /tmp/agent.sh (shell script executed for installation callback)
- /tmp/version.json (file downloaded from from S3 to determine execution flow)
- /tmp/version.plist (version.json converted into a property list)\
The Red Canary team has more details on its blog, but advanced Mac users can start looking for these files in Finder. One version of Silver Sparrow only infects Intel Macs while the other affects both Intel and M1 Macs.