Following the recent discovery of a new malware strain known as "Silver Sparrow," Addigy has created and published a community fact to detect and remediate against known files related to this malware.
Note: Addigy is not an anti-virus/anti-malware solution in itself. The Addigy Community items provide a rudimentary stop-gap for the currently known versions of Silver Sparrow (v2 at the time of writing). If you do not use a Malware Tool or Malwarebytes Breach Remediation, we would recommend leveraging this from our Public Software catalog, as they will automatically add new malware definitions and automatically remediate.
More information: https://support.addigy.com/support/solutions/articles/8000054639
TABLE OF CONTENTS
- What is Silver Sparrow?
- How is Silver Sparrow Detected?
- Using Addigy's Public Fact and Remediation to detect and remove Silver Sparrow
What is Silver Sparrow?
Silver Sparrow is malware that installs itself on a device under the guise of a .pkg. It installs LaunchAgents that have not been typically seen in malware before, which writes its own lines of code from the pkg's Distribution XML File. This causes the malware not to have a signature like most other malware.
Currently, there are two known versions of Silver Sparrow. The initial version has binaries that target traditional x86 Intel platforms. The second iteration, v2, targets both M1 Arm chips as well as Intel x86 chips.
As of the writing of this Article, the Silver Sparrow malware has not been detected as running any explicit code aside from infecting devices and checking back for instructions to execute. The malware allows a back door for the creator to deploy instructions at any time on the infected devices.
How is Silver Sparrow Detected?
Silver Sparrow uses a very distinct process to infect a device. The malware writes the LaunchAgents used using the PlistBuddy tool provided natively on macOS. Creating the .plist files using this tool allows us to easily view the contents written into a LaunchAgent and check its presence.
Currently, there are a few files associated with a Silver Sparrow infection. These include the plists created during infection, as well as files located in /tmp/:
- ~/Library/Application Support/agent_updater/agent.sh
- ~/Library/Application Support/verx_updater/verx.sh
Additionally, there is a condition where the malware will remove itself and its persistence mechanisms. If the file ~/Library/._insu is present, Silver Sparrow will remove itself from the device.
Using Addigy's auditor, the system can check the existence of any of these files to survey whether a device has been infected. By creating a monitoring item with this fact, automatic remediation can be used to remove all known related files.
Using Addigy's Public Fact and Remediation to detect and remove Silver Sparrow
Using the currently known information about Silver Sparrow, Addigy has created a Community Fact to detect the presence of files associated with Silver Sparrow. Additionally, Addigy has created a Community Script that will remove these files. By combining these two items into a monitoring item, the current known iteration of Silver Sparrow can be automatically removed from devices enrolled into Addigy.
Adding the Fact to your environment
Note: This fact can be found here if you are logged in.
Navigate to Community > Device Facts and select the Silver Sparrow Malware Detected item
Here, all the published community facts will be listed. The fact created by Addigy for Silver Sparrow will appear with the name Silver Sparrow Malware Detected.
Select "Copy to my catalog"
This will allow you to access the fact within your environment's catalog
Adding the Script into your environment
Note: This script can be found here if you are logged in.
Select the Script and Copy it to your Scripts
This will copy the community script into your environment's available scripts. These will be available for remediation items, or be able to run independently from the Devices page.
Creating the Monitoring Item
With both the removal script and fact added to your Addigy environment, they can be used to automatically remove the malware if it is detected. To accomplish this:
Navigate to Policies > Catalog and select Monitoring > New
Configure the Monitoring item to check the Fact and use the Script as Remediation
The monitoring item can be named as you wish. The core settings that must be set are the used Device Fact and Remediation script, which should reflect the newly added community items.