Try in Splunk Security Cloud

Description

Silver Sparrow, identified by Red Canary Intelligence, is a new forward looking MacOS (Intel and M1) malicious software downloader utilizing JavaScript for execution and a launchAgent to establish persistence.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2021-02-24
  • Author: Michael Haag, Splunk
  • ID: cb4f48fe-7699-11eb-af77-acde48001122

Narrative

Silver Sparrow works is a dropper and uses typical persistence mechanisms on a Mac. It is cross platform, covering both Intel and Apple M1 architecture. To this date, no implant has been downloaded for malicious purposes. During installation of the update.pkg or updater.pkg file, the malicious software utilizes JavaScript to generate files and scripts on disk for persistence.These files later download a implant from an S3 bucket every hour. This analytic assists with identifying different types of macOS malware families establishing LaunchAgent persistence. Per SentinelOne source, it is predicted that Silver Sparrow is likely selling itself as a mechanism to 3rd party “affiliates” or pay-per-install (PPI) partners, typically seen as commodity adware/malware. Additional indicators and behaviors may be found within the references.

Detections

Name Technique Type
Suspicious Curl Network Connection Ingress Tool Transfer TTP
Suspicious PlistBuddy Usage Launch Agent TTP
Suspicious PlistBuddy Usage via OSquery Launch Agent TTP
Suspicious SQLite3 LSQuarantine Behavior Data Staged TTP

Reference

source | version: 1