The args value in the data from the command and control server ( upbuchupsf) looks similar to an affiliate code, often used by adware. Yes, Malwarebytes protects your Mac from Silver Sparrow. This means that, as Red Canary said, we have little information on what the intent of this malware is. None of the infected machines have it installed. ~/Library/Application Support/verx_updaterĪt this time, we have yet to see the /tmp/verx payload. _insu file, and machines that have that file present do not have any of the other components (as expected). The vast majority of "infections" are actually represented by the. The paths detected show a rather interesting pattern. This, of course, is affected by Malwarebytes' heavily US-based customer base, but the malware does appear to be quite widespread, with detections in 164 different countries. Those detections are primarily clustered in the US, with more than 25,000 unique machines having Silver Sparrow detections. At the time of this writing, we've seen 39,080 unique machines with components of Silver Sparrow detected by Malwarebytes. Malwarebytes researchers collaborated with Red Canary researchers on their find, and have collected significant data about the infection at this point. Both of these apps appear to be very simplistic placeholder apps that don't do anything interesting. This app is named either "tasker" or "updater," depending on the version of the. pkg file also installs an app into the Applications folder. Separate from the files dropped by the JavaScript, the.
If the payload were actually downloaded, it would be launched with the args data as the arguments. Although we know that the script will store the payload at /tmp/verx, we have yet to see any instances of this payload on any infected machines.
MALWAREBYTES MAC CHIP DOWNLOAD
However, as can be seen from the data, at the time of analysis, the download URL was blank. In this case, the script does exactly that, then exits.įinally, it will try to determine whether there is a newer version of the malware (which will always be the case if the final payload is not yet installed), and if so, it will download the payload from the URL provided in the downloadUrl parameter in the data from the command & control server. From Malwarebytes data, it appears that this is a zero-byte file, and the malware simply uses it as a marker to indicate that it should delete itself. Next, the malware will check for the file ~/Library/._insu. The data it gets back looked something like this at the time of analysis: This script has several functions.įirst, it will contact a command & control server formerly hosted on Amazon AWS.
MALWAREBYTES MAC CHIP CODE
The malicious JavaScript code installs a launch agent plist file for the current user, which is designed to launch a script named verx.sh once per hour. This means that, if you were to click Continue, but then think better of it and quit the installer, it would be too late.
MALWAREBYTES MAC CHIP SOFTWARE
The user would then be asked if they want to allow a program to run "to determine if the software can be installed." pkg files included JavaScript code, in such a way that the code would run at the very beginning, before the installation has really started. However, we do not know how these files were delivered to the user. We know that the malware was installed via Apple installer packages (.pkg files) named update.pkg or updater.pkg. This malware is notable in being one of the first to include native code for Apple's new M1 chips, but what is unknown about this malware is actually more interesting than what is known! Cyber security company Red Canary published findings last week about a new piece of Mac malware called Silver Sparrow.
0 kommentar(er)
