fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

New Silver Sparrow Malware Infects 30,000 Macs For Unknown Purpose

New Silver Sparrow Malware Infects 30,000 Macs For Unknown Purpose

A new macOS malware known as Silver Sparrow has silently infected almost 30,000 Mac devices with malware whose purpose is a mystery.

In a collaboration between Red Canary, Malwarebytes, and VMware Carbon Black, researchers have found a new Mac malware that exhibits unusual properties, including a component explicitly compiled for the new Apple M1 chip.

According to Malwarebytes, this malware has infected 29,139 Mac devices across 153 countries, with high volumes in the United States, the United Kingdom, Canada, France, and Germany.

Not your typical adware

While Apple has always prided itself over macOS’ security, the reality is that the operating system is increasingly targeted by malwareransomware, and adware.

In a new report by RedCanary, researchers reveal a new malware targeting Mac devices that is unlike most infections developed for the operating system.

Named Silver Sparrow, the malware has been seen distributed as two different files named ‘updater.pkg’ [VirusTotal] or ‘update.pkg’ [VirusTotal]. The only difference seen by Red Canary is that the update.pkg includes both an Intel x86_64 and an Apple M1 binary, while the updater.pkg only includes the Intel executable.

Silver Sparrow executable
Silver Sparrow executable

Also Read: How To Prevent WhatsApp Hack: 7 Best Practices

Unlike most macOS adware which uses ‘preinstall’ and ‘postinstall’ scripts to execute commands or install further malware, Silver Sparrow utilizes JavaScript to execute its commands. The use of JavaScript produces different telemetry that makes it harder to detect malicious activity based on command line arguments.

Using JavaScript, SilverSparrow will create shell scripts executed by the malware to communicate with the command and control servers and create LaunchAgent Plist XML files to execute shell scripts periodically.

Creating the malicious shell scripts and LaunchAgent
Creating the malicious shell scripts and LaunchAgent

The LaunchAgent will connect to the threat actor’s command and control server every hour to check for new commands that the malware will execute.

While running, the malware will check for the presence of the ~/Library/._insu file, and if found, will remove itself and all associated files. The researchers have not been able to determine what triggers this kill switch.

Malware’s purpose is a mystery

After observing the malware for a week, Red Canary researchers could not see further payloads downloaded and triggered by these hourly checks. Thus the malware’s real purpose remains a mystery.

“In addition, the ultimate goal of this malware is a mystery. We have no way of knowing with certainty what payload would be distributed by the malware, if a payload has already been delivered and removed, or if the adversary has a future timeline for distribution,” explains Red Canary’s report.

The Intel and Mach-O binaries included with Silver Sparrow seem to be placeholders for an in-development malware as executing them only displays a screen stating ‘Hello World’ or ‘You did it!,’ as shown below.

The screen shown after running included binary
The screen shown after running included binary

Unfortunately, Silver Sparrow’s distribution also remains a mystery at this time.

“Other than the fact that it gets installed via an installer .pkg file, we have no idea. We don’t know how users would have initially found that installer. In fact, I’m a bit skeptical that it may even still be in distribution, in this form, at least,” Malwarebytes’ Thomas Reed told BleepingComputer.

How to check for the Silver Sparrow malware

If you use Malwarebytes for Mac, the program was updated over a week ago to detect if the Silver Sparrow malware is installed.

For those who do not use Malwarebytes or would like to check for the malware’s presence manually, you can use the following checklist provided by Red Canary.

  • Look for a process that appears to be PlistBuddy executing in conjunction with a command-line containing the following: LaunchAgents and RunAtLoad and true. This analytic helps us find multiple macOS malware families establishing LaunchAgent persistence.
  • Look for a process that appears to be sqlite3 executing in conjunction with a command line that contains: LSQuarantine. This analytic helps us find multiple macOS malware families manipulating or searching metadata for downloaded files.
  • Look for a process that appears to be curl executing in conjunction with a command-line that contains: s3.amazonaws.com. This analytic helps us find multiple macOS malware families using S3 buckets for distribution.

Also Read: 15 Best Tools For Your Windows 10 Privacy Settings Setup

To perform these steps, you can use the following commands from Terminal:

ps -aex | grep -i buddy
ps -aex | grep -i curl | grep -i amazon
ps -aex | grep -i sqlite3 | grep -i LSQuarantine

If there are processes listed in the output, not including the ones above, you should immediately scan your device for malware and inspect it for further compromise.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us