{"id":93100,"date":"2021-02-24T23:15:41","date_gmt":"2021-02-25T07:15:41","guid":{"rendered":"https:\/\/www.intego.com\/mac-security-blog\/?p=93100"},"modified":"2024-05-20T11:44:04","modified_gmt":"2024-05-20T18:44:04","slug":"silver-sparrow-40000-macs-infected-by-mysterious-m1-native-malware","status":"publish","type":"post","link":"https:\/\/www.intego.com\/mac-security-blog\/silver-sparrow-40000-macs-infected-by-mysterious-m1-native-malware\/","title":{"rendered":"Silver Sparrow: 40,000 Macs Infected by Mysterious M1-native Malware"},"content":{"rendered":"<p><img loading=\"lazy\" class=\"aligncenter size-full wp-image-93153\" src=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/02\/evil-OSX-Silver-Sparrow-Slisp-bird-macOS-malware-logo-600x300-1.jpg\" alt=\"Silver Sparrow malware logo\" width=\"600\" height=\"300\" srcset=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/02\/evil-OSX-Silver-Sparrow-Slisp-bird-macOS-malware-logo-600x300-1.jpg 600w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/02\/evil-OSX-Silver-Sparrow-Slisp-bird-macOS-malware-logo-600x300-1-300x150.jpg 300w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/02\/evil-OSX-Silver-Sparrow-Slisp-bird-macOS-malware-logo-600x300-1-150x75.jpg 150w\" sizes=\"(max-width: 600px) 100vw, 600px\" \/><\/p>\n<p>A new family of Mac malware dubbed <strong>Silver Sparrow<\/strong> (detected by Intego and others as <strong>OSX\/Slisp<\/strong>) has apparently infected at least 40,000 Macs, according to reports. It is also one of the first pieces of Mac malware that runs natively on Apple&#8217;s new M1 processors. These facts combined have propelled Silver Sparrow into the mainstream media spotlight.<\/p>\n<p>Let&#8217;s explore everything you need to know about the latest Mac malware threat.<\/p>\n<p>In this article:<\/p>\n<ul>\n<li><a href=\"#how-spread\">How does Silver Sparrow malware spread?<\/a><\/li>\n<li><a href=\"#potential-harm\">What potential harm can Silver Sparrow do to Macs?<\/a><\/li>\n<li><a href=\"#malware-or-poc\">Is Silver Sparrow really malware, or a mere proof of concept (PoC)?<\/a><\/li>\n<li><a href=\"#m1-native\">Silver Sparrow is the second M1-native Mac malware discovered<\/a><\/li>\n<li><a href=\"#notarization-fail\">Silver Sparrow is (at least) the sixth major Apple notarization failure<\/a><\/li>\n<li><a href=\"#javascript-installer\">Silver Sparrow uses JavaScript during installation<\/a><\/li>\n<li><a href=\"#distribution-goal\">Silver Sparrow has had wide distribution, but its goal is unknown<\/a><\/li>\n<li><a href=\"#how-to-remove\">How can one remove or prevent Silver Sparrow and other threats?<\/a><\/li>\n<li><a href=\"#iocs\">Indicators of compromise (IoCs)<\/a><\/li>\n<li><a href=\"#learn-more\">How can I learn more?<\/a><a name=\"how-spread\"><\/a><\/li>\n<\/ul>\n<h3>How does Silver Sparrow malware spread?<\/h3>\n<p>As of this moment, malware researchers have not yet conclusively identified how Silver Sparrow installation packages have made their way onto Macs.<\/p>\n<p>There are some indications that end-users may have encountered the malware via poisoned Google search results, meaning results leading to legitimate sites that had been compromised by a threat actor, and\/or malicious sites that rank highly for particular searches.<\/p>\n<p>Katie Nickels, a representative from Red Canary (the company that discovered the malware), suggested in a <a href=\"https:\/\/twitter.com\/redcanary\/status\/1363927585223237640\" target=\"_blank\" rel=\"noopener\">live stream<\/a> on Monday\u00a0that another possible source of infection may have been malicious browser extensions.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">.<a href=\"https:\/\/twitter.com\/likethecoins?ref_src=twsrc%5Etfw\">@likethecoins<\/a> and <a href=\"https:\/\/twitter.com\/ForensicITGuy?ref_src=twsrc%5Etfw\">@ForensicITGuy<\/a> are about to chat all things Silver Sparrow. Bring your questions! <a href=\"https:\/\/t.co\/wSX2i1c41E\">https:\/\/t.co\/wSX2i1c41E<\/a><\/p>\n<p>&mdash; Red Canary (@redcanary) <a href=\"https:\/\/twitter.com\/redcanary\/status\/1363927585223237640?ref_src=twsrc%5Etfw\">February 22, 2021<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p><a name=\"potential-harm\"><\/a><\/p>\n<h3>What potential harm can Silver Sparrow do to Macs?<\/h3>\n<p>At this time, <strong>the malware installer packages will no longer run<\/strong>. Apple addressed the two known variants of Silver Sparrow by revoking the developer\u2019s code-signing certificates. Because the malware is no longer signed by an authorized Apple Developer ID, the two known variants of the malware won\u2019t be able to run anymore if someone tries to install them today.<\/p>\n<p>However, it&#8217;s worth noting that Apple&#8217;s mitigation efforts may not necessarily remove all existing malware infections, and may not block potential future Silver Sparrow variants that would presumably be signed with yet another Apple Developer ID.<\/p>\n<p>Before Apple\u2019s revocation of the code-signing certificates, the malware would install a LaunchAgent as a \u201cpersistence\u201d method (i.e. a way for the malware to continue running, even after a victim restarts their Mac).<\/p>\n<p>The LaunchAgent would check an Amazon AWS S3 bucket for further instructions and a potential additional malicious payload, but so far researchers have not yet observed the malware downloading any final payloads. It appears that <strong>Amazon may have shut down the S3 buckets<\/strong> that were associated with the two known Silver Sparrow variants.<\/p>\n<p>Theoretically, before revocation of their Apple certificates and cancelation of their S3 buckets, it\u2019s possible that a final payload may have been available for a short period of time, or may have only been made available to certain victims. However, this is only speculation, and this theory unfortunately cannot be confirmed based on the currently available evidence.<a name=\"malware-or-poc\"><\/a><\/p>\n<h3>Is Silver Sparrow really malware, or a mere proof of concept (PoC)?<\/h3>\n<p>There are a couple of indicators that have caused some to speculate that Silver Sparrow might have just been a proof of concept that somehow became widely distributed. Let us examine that speculation.<\/p>\n<p>Proponents of the proof-of-concept theory point out that researchers have not yet observed the malware installing any further malicious payloads. In other words, after the malware gets installed, it has not yet been observed to download and install additional components that can cause further harm or enhance its functionality, as the malware appears designed to do.<\/p>\n<p>Furthermore, the first sample actually installs an app that, if opened, displays a message saying, \u201cHello, World!\u201d\u2014which is normally a shorthand way for a programmer to say, \u201cThis is my first attempt at making this app, and if you\u2019re seeing this message, then the app works!\u201d<\/p>\n<div id=\"attachment_93136\" style=\"width: 970px\" class=\"wp-caption aligncenter\"><img aria-describedby=\"caption-attachment-93136\" loading=\"lazy\" class=\"size-full wp-image-93136\" src=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/02\/hello-world-silver-sparrow-slisp-v1-screenshot-by-erika-noerenberg.png\" alt=\"Hello World message from Silver Sparrow Slisp malware v1. Screenshot by Erika Noerenberg.\" width=\"960\" height=\"594\" srcset=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/02\/hello-world-silver-sparrow-slisp-v1-screenshot-by-erika-noerenberg.png 960w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/02\/hello-world-silver-sparrow-slisp-v1-screenshot-by-erika-noerenberg-300x186.png 300w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/02\/hello-world-silver-sparrow-slisp-v1-screenshot-by-erika-noerenberg-150x93.png 150w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/02\/hello-world-silver-sparrow-slisp-v1-screenshot-by-erika-noerenberg-768x475.png 768w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/02\/hello-world-silver-sparrow-slisp-v1-screenshot-by-erika-noerenberg-657x407.png 657w\" sizes=\"(max-width: 960px) 100vw, 960px\" \/><p id=\"caption-attachment-93136\" class=\"wp-caption-text\">\u201cHello, World!\u201d message from OSX\/Slisp variant 1. Image credit: Erika Noerenberg via <a href=\"https:\/\/redcanary.com\/blog\/clipping-silver-sparrows-wings\/\" target=\"_blank\" rel=\"noopener nofollow\">Red Canary<\/a><\/p><\/div>\n<p>However, there are good reasons to think that Silver Sparrow is not merely a proof of concept. For example, there&#8217;s the fact that at least tens of thousands of Macs have been hit with this malware. Given that the malware has not been observed to have self-propagating functionality like a worm or virus, its maker would have had to put an inordinate amount of effort into widely distributing a mere proof of concept Trojan horse.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">I had several people ask me if &#8211; or assert that &#8211; Silver Sparrow was a proof-of-concept malware. IMO, there\u2019s no evidence of that. A PoC _virus_ that gets out of control could hit the number of machines we\u2019ve seen infected, but a PoC Trojan spreading that far is highly unlikely.<\/p>\n<p>&mdash; Thomas Reed (@thomasareed) <a href=\"https:\/\/twitter.com\/thomasareed\/status\/1364013996089765890?ref_src=twsrc%5Etfw\">February 23, 2021<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>And yet, we still don&#8217;t know what Silver Sparrow&#8217;s ultimate goal was, or who made it\u2014hence the word \u201cmysterious\u201d frequently being used to describe the malware campaign.<\/p>\n<p>So what makes Silver Sparrow different from other Mac malware? It has a few unusual characteristics that make it noteworthy.<a name=\"m1-native\"><\/a><\/p>\n<h3>Silver Sparrow is the second M1-native Mac malware discovered<\/h3>\n<p>The main thing that seems to be grabbing headlines is that one of the two discovered Silver Sparrow variants runs natively on new <a href=\"https:\/\/www.intego.com\/mac-security-blog\/topic\/apple-silicon\/\">Apple silicon<\/a> Macs with M1 processors, as well as running natively on Intel-based Macs. Apple&#8217;s terminology for an app that runs natively on both architectures is \u201cUniversal Binary.\u201d<\/p>\n<p>There are actually two known versions of Silver Sparrow; the first one was compiled for Intel Macs, and the second was compiled as a Universal Binary for both Intel- and M1-based Macs.<\/p>\n<p>It\u2019s worth noting, however, that M1 Macs can often run Mac malware compiled only for Intel, due to Apple\u2019s Rosetta technology which enables Intel binaries to run on M1 (aka <a href=\"https:\/\/www.intego.com\/mac-security-blog\/topic\/apple-silicon\/\">Apple silicon<\/a> or ARM-based) Macs. Therefore, much of the malware designed to run on Intel Macs can also run on M1 Macs.<\/p>\n<p>However, Silver Sparrow is actually the <em>second<\/em> known Mac malware family to be compiled as a Universal Binary.<\/p>\n<p>Credit for the first published report about M1-native malware goes to independent Mac security researcher Patrick Wardle, who published his analysis of \u201c<a href=\"https:\/\/objective-see.com\/blog\/blog_0x62.html\" target=\"_blank\" rel=\"noopener\">GoSearch22<\/a>,\u201d an <strong>OSX\/Pirrit<\/strong> variant, about four days before Red Canary published its write-up of Silver Sparrow. Intego VirusBarrier&#8217;s existing protection against Pirrit preemptively blocked the new variant found by Wardle.<\/p>\n<p><strong><em>Related: Intego&#8217;s 2018 <a href=\"https:\/\/www.youtube.com\/watch?v=P5m8wsQ5BFw\" target=\"_blank\" rel=\"noopener\">interview<\/a> of Pirrit&#8217;s original discoverer, Amit Serper<\/em><\/strong><\/p>\n<p><span class=\"embed-youtube\" style=\"text-align:center; display: block;\"><iframe loading=\"lazy\" class=\"youtube-player\" width=\"640\" height=\"360\" src=\"https:\/\/www.youtube.com\/embed\/P5m8wsQ5BFw?version=3&#038;rel=1&#038;showsearch=0&#038;showinfo=1&#038;iv_load_policy=1&#038;fs=1&#038;hl=en-US&#038;autohide=2&#038;wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation\"><\/iframe><\/span><\/p>\n<p>We can expect that <strong>virtually all Mac malware from this point forward will be designed to run on both architectures.<\/strong> Apple makes it easy for developers to write cross-architecture Mac apps, which is usually a good thing, but is unfortunate in the case of malware.<\/p>\n<p>So while M1-native malware may seem novel for the moment, soon most new macOS malware will be M1 native.<a name=\"notarization-fail\"><\/a><\/p>\n<h3>Silver Sparrow is (at least) the sixth major Apple notarization failure<\/h3>\n<p><img loading=\"lazy\" class=\"alignright size-full wp-image-92241\" src=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2020\/09\/notarized-malware-400x260-1.png\" alt=\"Notarized Mac malware\" width=\"175\" height=\"114\" srcset=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2020\/09\/notarized-malware-400x260-1.png 400w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2020\/09\/notarized-malware-400x260-1-300x195.png 300w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2020\/09\/notarized-malware-400x260-1-150x98.png 150w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2020\/09\/notarized-malware-400x260-1-305x200.png 305w\" sizes=\"(max-width: 175px) 100vw, 175px\" \/>According to our research, the discovery of Silver Sparrow marks<strong> at least the sixth major time that Apple\u2019s notarization process has failed to detect malware<\/strong> families that have either been distributed in the wild or uploaded to VirusTotal.<\/p>\n<p><a href=\"https:\/\/www.intego.com\/mac-security-blog\/topic\/notarization\/\">Notarization<\/a> is specifically supposed to identify and block new malware before it can ever infect Macs, but Apple\u2019s automated notarization process has repeatedly notarized dozens of malware samples that Apple has failed to detect as malicious.<a name=\"javascript-installer\"><\/a><\/p>\n<h3>Silver Sparrow uses JavaScript during installation<\/h3>\n<p>Another novel thing about Silver Sparrow is its use of JavaScript code within the macOS installer during the pre-installation phase.<\/p>\n<p>Malware that installs via Apple&#8217;s Installer app typically prefers to rely on preinstall shell scripts (similar to typing commands in the Terminal, but run in the background without the user&#8217;s knowledge) instead of JavaScript.<a name=\"distribution-goal\"><\/a><\/p>\n<h3>Silver Sparrow has had wide distribution, but its goal is unknown<\/h3>\n<p>Most malware has a clear purpose, such as spying on victims, holding victims&#8217; files for ransom, or injecting advertisements or mining for cryptocurrency in an attempt to make a profit for the malware distributor.<\/p>\n<p><strong>Silver Sparrow&#8217;s wide distribution, in spite of its lack of an obvious <em>raison d&#8217;\u00eatre<\/em>, is therefore a bit puzzling.<\/strong><\/p>\n<p>According to the original report about Silver Sparrow, one antivirus company found evidence of nearly 30,000 Macs having been infected as of February 17. By February 23, less than a week later, <strong>that number had reached nearly 40,000.<\/strong><\/p>\n<p>Given that this data is based on observations from a single antivirus vendor\u2014and given that a significant percentage of Mac users don&#8217;t run antivirus software at all\u2014it&#8217;s quite likely that the actual number of Macs hit by Silver Sparrow is much higher.<\/p>\n<p>These numbers are primarily based on the existence of a particular zero-byte file left behind by the malware after it uninstalls itself. In fact, of Macs with Silver Sparrow detections, <strong>99.5% seemed to only have that one harmless file remaining.<\/strong><\/p>\n<p>Intego has been monitoring this threat, and we can corroborate that very few Macs seem to have an active Silver Sparrow infection as of today.<\/p>\n<p>In lab analyses, Silver Sparrow malware has not yet been observed downloading a final malicious payload, so it is unclear what the malware maker\u2019s intentions were, or whether it ever did anything beyond install a method of persistence (a LaunchAgent that allows the malware to get loaded back into memory after a reboot), and eventually uninstall itself.<a name=\"how-to-remove\"><\/a><\/p>\n<h3>How can one remove or prevent Silver Sparrow and other threats?<\/h3>\n<p>Given that Apple has frequently <a href=\"https:\/\/www.intego.com\/mac-security-blog\/topic\/notarization\/\">notarized<\/a> Mac malware, and Apple&#8217;s other threat mitigation features such as Gatekeeper, XProtect, and MRT do not block many types of threats, it is evident that Apple\u2019s own macOS protection methods are insufficient by themselves.<\/p>\n<p><em>Related: <a href=\"https:\/\/www.intego.com\/mac-security-blog\/do-macs-need-antivirus-software\/\">Do Macs need antivirus software?<\/a><\/em><\/p>\n<blockquote class=\"wp-embedded-content\" data-secret=\"RZpqeUqwiE\"><p><a href=\"https:\/\/www.intego.com\/mac-security-blog\/do-macs-need-antivirus-software\/\">Do Macs need antivirus software?<\/a><\/p><\/blockquote>\n<p><iframe class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; clip: rect(1px, 1px, 1px, 1px);\" title=\"&#8220;Do Macs need antivirus software?&#8221; &#8212; The Mac Security Blog\" src=\"https:\/\/www.intego.com\/mac-security-blog\/do-macs-need-antivirus-software\/embed\/#?secret=RZpqeUqwiE\" data-secret=\"RZpqeUqwiE\" width=\"500\" height=\"282\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe><\/p>\n<p><img loading=\"lazy\" class=\"alignright size-medium wp-image-54214\" src=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2016\/06\/X9-Mac-Antivirus-Launch-300x150.png\" alt=\"Intego X9 software boxes\" width=\"300\" height=\"150\" srcset=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2016\/06\/X9-Mac-Antivirus-Launch-300x150.png 300w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2016\/06\/X9-Mac-Antivirus-Launch-150x75.png 150w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2016\/06\/X9-Mac-Antivirus-Launch.png 600w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/>Intego VirusBarrier X9, included with <strong><a href=\"https:\/\/www.intego.com\/mac-protection-bundle\">Intego&#8217;s Mac Premium Bundle X9<\/a><\/strong>, can protect against, detect, and eliminate this malware. VirusBarrier detects Silver Sparrow as <strong>OSX\/Slisp<\/strong>.<\/p>\n<p>VirusBarrier is designed by Mac security experts, and it protects against a much wider variety of malware than Apple\u2019s mitigation methods.<\/p>\n<p>Although some reports have suggested that users can \u201cvaccinate\u201d their Macs by creating a blank file at ~\/Library\/._insu (which could theoretically prevent the malware from installing, or cause the malware to remove itself), and at least one company actually created a script to assist users in doing so, we do <strong>not<\/strong> recommend this for several reasons, as follows.<\/p>\n<p>Apple has already effectively disabled the two known variants of this malware, so it should not be possible for it to install anymore. Additionally, any potential future versions of this malware would likely avoid installing itself based on the existence of a file whose path is now widely known to the public. Moreover, installing your own empty file at ~\/Library\/._insu can lead to false-positive detections from some anti-malware products, which can make it more difficult for those companies to determine the actual reach of the malware.<\/p>\n<p>If you believe your Mac may have been infected, or to prevent future infections, it&#8217;s best to use antivirus software from a trusted Mac developer that includes <a href=\"https:\/\/www.intego.com\/mac-security-blog\/why-your-antivirus-needs-real-time-scanning\/\">real-time scanning<\/a>, such as <a href=\"https:\/\/www.intego.com\/mac-protection-bundle\">VirusBarrier X9<\/a>\u2014which also protects Macs from the first known M1-native malware, a variant of <strong>OSX\/Pirrit<\/strong>. VirusBarrier proactively blocked the new Pirrit variant before it was even discovered.<\/p>\n<p><span style=\"font-size: small;\">Note: Intego customers running VirusBarrier X8, X7, or X6 on older versions of Mac OS X are also protected from these threats. It is best to upgrade to the latest versions of VirusBarrier and macOS, if possible, to ensure your Mac gets all the latest security updates from Apple<\/span><span style=\"font-size: small;\">.<\/span><a name=\"iocs\"><\/a><\/p>\n<h3>Indicators of compromise (IoCs)<\/h3>\n<p>Following are some specific ways to identify whether a Mac may have been infected by Silver Sparrow.<\/p>\n<p>This malware has used the generic-sounding filenames \u201cupdate.pkg\u201d and \u201cupdater.pkg\u201d for the initial installation. The existence of a file with one of those names in the ~\/Downloads (i.e. \/Users\/username\/Downloads) folder may be a possible sign of infection.<\/p>\n<p>Apple has since revoked the Developer IDs that were used for signing and requesting notarization of this malware. The developer names and Team IDs of the revoked dev accounts are:<\/p>\n<pre>Julie Willey (MSZ3ZH74RK)\r\nSaotia Seay (5834W6MYX3)<\/pre>\n<p>The following SHA-256 file hashes belong to known OSX\/Slisp files associated with this malware campaign.<\/p>\n<pre>1decb4070db4dfe5d68ba502cf3a67de96a69ea6f3acfa4454795f96472ccc0d\r\n38c9b858c32fcc6b484272a182ae6e7f911dea53a486396037d8f7956d2110be*\r\n3950ff488c66db167d5c80d8138edfdbf326af5a42475726b6ebc44b94efd866*\r\n77f7ecb56081c77f0348180def2985120b10b929e570b05b4f152aa7b9de2c71\r\n8f484a978016cb44b25fd8d9b61250c25caf69aadc891f04c4e310a590650d9f\r\nae82807fd98ea552469dd29182e307935a8319867e45346516fd90998faf2d65*\r\nc153eb1bb88c86e08d12bb49a661fbe54dab2eff7dcf69c87a1b1bc0ee2777ef\r\nc7dd06b20b64b64d3b155b6b77c2778a08ef6a6c0396d7537af411258e57af1e\r\n*first reported by Intego<\/pre>\n<p>The following file and directory paths have been associated with this malware. The existence of these files or folders on a Mac could be a possible sign of an infection, or a past infection in the case of the \u201c._insu\u201d file:<\/p>\n<pre>~\/Downloads\/update.pkg\r\n~\/Downloads\/updater.pkg\r\n~\/Library\/._insu (most common; 0-byte file)\r\n~\/Library\/Application Support\/agent_updater\/\r\n~\/Library\/Application Support\/verx_updater\/\r\n~\/Library\/LaunchAgents\/agent.plist\r\n~\/Library\/LaunchAgents\/init_agent.plist\r\n~\/Library\/LaunchAgents\/init_verx.plist\r\n~\/Library\/LaunchAgents\/verx.plist\r\n\/Applications\/updater.app\/\r\n\/Applications\/tasker.app\/\r\n\/tmp\/agent.sh\r\n\/tmp\/version.json\r\n\/tmp\/version.plist\r\n\/tmp\/verx<\/pre>\n<p>A copy of the \/tmp\/verx file has not yet been obtained by any malware researchers. If you find a copy of it, please <a href=\"https:\/\/www.intego.com\/support\/submit-malware\">submit it to Intego<\/a> for analysis.<\/p>\n<p>The apps dropped into the \/Applications folder may have one of the following Bundle IDs:<\/p>\n<pre>com.hello.tasker - first reported by Intego\r\ncom.tasks.updater<\/pre>\n<p>The following domains have been observed to have ties with this malware:<\/p>\n<pre>api.mobiletraits[.]com\r\napi.specialattributes[.]com\r\nmobiletraits.s3.amazonaws[.]com\r\nspecialattributes.s3.amazonaws[.]com\r\nupdate-v3a98x2.s3.amazonaws[.]com<\/pre>\n<p>Any recent network traffic to or from any of these domains (from mid-August 2020 to present) should be considered a possible sign of an infection.<a name=\"learn-more\"><\/a><\/p>\n<h3>How can I learn more?<\/h3>\n<p>For additional details about Silver Sparrow, you can refer to the original write-up by <a href=\"https:\/\/redcanary.com\/blog\/clipping-silver-sparrows-wings\/\" target=\"_blank\" rel=\"noopener nofollow noreferrer\">Tony Lambert<\/a> as well as later write-ups by <a href=\"https:\/\/www.sentinelone.com\/blog\/5-things-you-need-to-know-about-silver-sparrow\/\" target=\"_blank\" rel=\"noopener\">Phil Stokes<\/a> and <a href=\"https:\/\/blog.malwarebytes.com\/mac\/2021\/02\/the-mystery-of-the-silver-sparrow-mac-malware\/\" target=\"_blank\" rel=\"noopener\">Thomas Reed<\/a>.<\/p>\n<p><a href=\"https:\/\/podcasts.apple.com\/us\/podcast\/intego-mac-podcast\/id1293834627\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" class=\"alignright size-thumbnail wp-image-71818\" src=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/10\/ios9-podcasts-app-tile-150x150.png\" sizes=\"(max-width: 50px) 100vw, 50px\" srcset=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/10\/ios9-podcasts-app-tile-150x150.png 150w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/10\/ios9-podcasts-app-tile-32x32.png 32w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/10\/ios9-podcasts-app-tile-50x50.png 50w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/10\/ios9-podcasts-app-tile-64x64.png 64w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/10\/ios9-podcasts-app-tile-96x96.png 96w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/10\/ios9-podcasts-app-tile-128x128.png 128w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/10\/ios9-podcasts-app-tile.png 300w\" alt=\"\" width=\"50\" height=\"50\" data-pagespeed-url-hash=\"2337344131\" \/><\/a>We discussed Silver Sparrow malware\u00a0on episode 176 of the <a href=\"https:\/\/podcast.intego.com\/\"><strong>Intego Mac Podcast<\/strong><\/a>. Be sure to <a href=\"https:\/\/podcasts.apple.com\/us\/podcast\/intego-mac-podcast\/id1293834627\" rel=\"noopener\">subscribe<\/a> to make sure you don\u2019t miss any episodes! You\u2019ll also want to subscribe to our <strong>e-mail newsletter<\/strong> and keep an eye here on <strong>The Mac Security Blog<\/strong> for the latest Apple security and privacy news.<\/p>\n<p><iframe loading=\"lazy\" src=\"https:\/\/player.fireside.fm\/v2\/GegHgcrH+ahf05kl-?theme=dark\" width=\"740\" height=\"200\" frameborder=\"0\" scrolling=\"no\"><\/iframe><\/p>\n<p>You can also follow Intego on your favorite social and media channels: <a href=\"https:\/\/www.facebook.com\/Intego\" target=\"_blank\" rel=\"noopener noreferrer\">Facebook<\/a>, <a href=\"https:\/\/www.instagram.com\/intego_security\/\" target=\"_blank\" rel=\"noopener noreferrer\">Instagram<\/a>, <a href=\"https:\/\/twitter.com\/IntegoSecurity\" target=\"_blank\" rel=\"noopener noreferrer\">Twitter<\/a>, and <a href=\"https:\/\/www.youtube.com\/user\/IntegoVideo?sub_confirmation=1\" target=\"_blank\" rel=\"noopener noreferrer\">YouTube<\/a> (click the \ud83d\udd14 to get notified about new videos).<\/p>\n<p><span style=\"font-size: x-small;\">Silver Sparrow header image based on &#8220;<a href=\"https:\/\/commons.wikimedia.org\/wiki\/File:House_Sparrow(Passer_domesticus).jpg\" target=\"_blank\" rel=\"noopener noreferrer\">House Sparrow (Passer domesticus)<\/a>&#8221; by <a class=\"owner-name truncate\" title=\"Go to Mathias Appel's photostream\" href=\"https:\/\/www.flickr.com\/photos\/mathiasappel\/\" data-track=\"attributionNameClick\">Mathias Appel<\/a> (<a href=\"https:\/\/creativecommons.org\/publicdomain\/zero\/1.0\/deed.en\" target=\"_blank\" rel=\"noopener noreferrer\">CC0<\/a>); modified by Joshua Long, Intego.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>A new family of Mac malware dubbed Silver Sparrow (detected by Intego and others as OSX\/Slisp) has apparently infected at least 40,000 Macs, according to reports. It is also one of the first pieces of Mac malware that runs natively on Apple&#8217;s new M1 processors. These facts combined have propelled Silver Sparrow into the mainstream [&hellip;]<\/p>\n","protected":false},"author":14,"featured_media":93151,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false},"categories":[190],"tags":[4587,4608,86,589],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v17.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<meta name=\"description\" content=\"A new family of Mac malware dubbed Silver Sparrow (detected by Intego and others as OSX\/Slisp) has apparently infected at least 40,000 Macs, according to\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.intego.com\/mac-security-blog\/silver-sparrow-40000-macs-infected-by-mysterious-m1-native-malware\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Silver Sparrow: 40,000 Macs Infected by Mysterious M1-native Malware - The Mac Security Blog\" \/>\n<meta property=\"og:description\" content=\"A new family of Mac malware dubbed Silver Sparrow (detected by Intego and others as OSX\/Slisp) has apparently infected at least 40,000 Macs, according to\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.intego.com\/mac-security-blog\/silver-sparrow-40000-macs-infected-by-mysterious-m1-native-malware\/\" \/>\n<meta property=\"og:site_name\" content=\"The Mac Security Blog\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/JoshLong\" \/>\n<meta property=\"article:published_time\" content=\"2021-02-25T07:15:41+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-05-20T18:44:04+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/02\/evil-OSX-Silver-Sparrow-Slisp-bird-macOS-malware-logo-400x260-1.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"400\" \/>\n\t<meta property=\"og:image:height\" content=\"260\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@theJoshMeister\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Joshua Long\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"11 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#organization\",\"name\":\"Intego\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/\",\"sameAs\":[],\"logo\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#logo\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/10\/intego-organization-logo-for-google-knowledge-graph-875x875-1.png\",\"contentUrl\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/10\/intego-organization-logo-for-google-knowledge-graph-875x875-1.png\",\"width\":875,\"height\":875,\"caption\":\"Intego\"},\"image\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#logo\"}},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#website\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/\",\"name\":\"The Mac Security Blog\",\"description\":\"Keep Macs safe from the dangers of the Internet\",\"publisher\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.intego.com\/mac-security-blog\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/silver-sparrow-40000-macs-infected-by-mysterious-m1-native-malware\/#primaryimage\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/02\/evil-OSX-Silver-Sparrow-Slisp-bird-macOS-malware-logo-400x260-1.jpg\",\"contentUrl\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/02\/evil-OSX-Silver-Sparrow-Slisp-bird-macOS-malware-logo-400x260-1.jpg\",\"width\":400,\"height\":260,\"caption\":\"evil OSX Silver Sparrow Slisp bird macOS malware logo\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/silver-sparrow-40000-macs-infected-by-mysterious-m1-native-malware\/#webpage\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/silver-sparrow-40000-macs-infected-by-mysterious-m1-native-malware\/\",\"name\":\"Silver Sparrow: 40,000 Macs Infected by Mysterious M1-native Malware - The Mac Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/silver-sparrow-40000-macs-infected-by-mysterious-m1-native-malware\/#primaryimage\"},\"datePublished\":\"2021-02-25T07:15:41+00:00\",\"dateModified\":\"2024-05-20T18:44:04+00:00\",\"description\":\"A new family of Mac malware dubbed Silver Sparrow (detected by Intego and others as OSX\/Slisp) has apparently infected at least 40,000 Macs, according to\",\"breadcrumb\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/silver-sparrow-40000-macs-infected-by-mysterious-m1-native-malware\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.intego.com\/mac-security-blog\/silver-sparrow-40000-macs-infected-by-mysterious-m1-native-malware\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/silver-sparrow-40000-macs-infected-by-mysterious-m1-native-malware\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.intego.com\/mac-security-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Silver Sparrow: 40,000 Macs Infected by Mysterious M1-native Malware\"}]},{\"@type\":\"Article\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/silver-sparrow-40000-macs-infected-by-mysterious-m1-native-malware\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/silver-sparrow-40000-macs-infected-by-mysterious-m1-native-malware\/#webpage\"},\"author\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#\/schema\/person\/dcf592275ba6edde8d20f1e60029c6b1\"},\"headline\":\"Silver Sparrow: 40,000 Macs Infected by Mysterious M1-native Malware\",\"datePublished\":\"2021-02-25T07:15:41+00:00\",\"dateModified\":\"2024-05-20T18:44:04+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/silver-sparrow-40000-macs-infected-by-mysterious-m1-native-malware\/#webpage\"},\"wordCount\":2265,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/silver-sparrow-40000-macs-infected-by-mysterious-m1-native-malware\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/02\/evil-OSX-Silver-Sparrow-Slisp-bird-macOS-malware-logo-400x260-1.jpg\",\"keywords\":[\"Apple Silicon\",\"Apple Software Notarization\",\"Malware\",\"Proof of Concept (PoC)\"],\"articleSection\":[\"Malware\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.intego.com\/mac-security-blog\/silver-sparrow-40000-macs-infected-by-mysterious-m1-native-malware\/#respond\"]}]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#\/schema\/person\/dcf592275ba6edde8d20f1e60029c6b1\",\"name\":\"Joshua Long\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#personlogo\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/5ad29f4111ce14911abaa98cbbcdea42?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/5ad29f4111ce14911abaa98cbbcdea42?s=96&d=mm&r=g\",\"caption\":\"Joshua Long\"},\"description\":\"Joshua Long (@theJoshMeister), formerly Intego\\u2019s Chief Security Analyst, is a renowned security researcher and writer, and an award-winning public speaker. Josh has a master\\u2019s degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple\\u00a0ID authentication vulnerability. Josh has conducted cybersecurity research for well over 25 years, which is often featured by major news outlets worldwide. Keep up with Josh via X\/Twitter, LinkedIn, Facebook, Instagram, YouTube, Patreon, Mastodon, the JoshMeister on Security, and more. \\u2014\",\"sameAs\":[\"https:\/\/security.thejoshmeister.com\",\"https:\/\/www.facebook.com\/JoshLong\",\"https:\/\/www.instagram.com\/thejoshmeister\/\",\"https:\/\/www.linkedin.com\/in\/thejoshmeister\",\"https:\/\/www.pinterest.com\/thejoshmeister\/\",\"https:\/\/twitter.com\/theJoshMeister\",\"https:\/\/www.youtube.com\/@theJoshMeister\"],\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/author\/joshlong\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"description":"A new family of Mac malware dubbed Silver Sparrow (detected by Intego and others as OSX\/Slisp) has apparently infected at least 40,000 Macs, according to","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.intego.com\/mac-security-blog\/silver-sparrow-40000-macs-infected-by-mysterious-m1-native-malware\/","og_locale":"en_US","og_type":"article","og_title":"Silver Sparrow: 40,000 Macs Infected by Mysterious M1-native Malware - The Mac Security Blog","og_description":"A new family of Mac malware dubbed Silver Sparrow (detected by Intego and others as OSX\/Slisp) has apparently infected at least 40,000 Macs, according to","og_url":"https:\/\/www.intego.com\/mac-security-blog\/silver-sparrow-40000-macs-infected-by-mysterious-m1-native-malware\/","og_site_name":"The Mac Security Blog","article_author":"https:\/\/www.facebook.com\/JoshLong","article_published_time":"2021-02-25T07:15:41+00:00","article_modified_time":"2024-05-20T18:44:04+00:00","og_image":[{"width":400,"height":260,"url":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/02\/evil-OSX-Silver-Sparrow-Slisp-bird-macOS-malware-logo-400x260-1.jpg","type":"image\/jpeg"}],"twitter_card":"summary_large_image","twitter_creator":"@theJoshMeister","twitter_misc":{"Written by":"Joshua Long","Est. reading time":"11 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Organization","@id":"https:\/\/www.intego.com\/mac-security-blog\/#organization","name":"Intego","url":"https:\/\/www.intego.com\/mac-security-blog\/","sameAs":[],"logo":{"@type":"ImageObject","@id":"https:\/\/www.intego.com\/mac-security-blog\/#logo","inLanguage":"en-US","url":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/10\/intego-organization-logo-for-google-knowledge-graph-875x875-1.png","contentUrl":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/10\/intego-organization-logo-for-google-knowledge-graph-875x875-1.png","width":875,"height":875,"caption":"Intego"},"image":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#logo"}},{"@type":"WebSite","@id":"https:\/\/www.intego.com\/mac-security-blog\/#website","url":"https:\/\/www.intego.com\/mac-security-blog\/","name":"The Mac Security Blog","description":"Keep Macs safe from the dangers of the Internet","publisher":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.intego.com\/mac-security-blog\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"ImageObject","@id":"https:\/\/www.intego.com\/mac-security-blog\/silver-sparrow-40000-macs-infected-by-mysterious-m1-native-malware\/#primaryimage","inLanguage":"en-US","url":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/02\/evil-OSX-Silver-Sparrow-Slisp-bird-macOS-malware-logo-400x260-1.jpg","contentUrl":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/02\/evil-OSX-Silver-Sparrow-Slisp-bird-macOS-malware-logo-400x260-1.jpg","width":400,"height":260,"caption":"evil OSX Silver Sparrow Slisp bird macOS malware logo"},{"@type":"WebPage","@id":"https:\/\/www.intego.com\/mac-security-blog\/silver-sparrow-40000-macs-infected-by-mysterious-m1-native-malware\/#webpage","url":"https:\/\/www.intego.com\/mac-security-blog\/silver-sparrow-40000-macs-infected-by-mysterious-m1-native-malware\/","name":"Silver Sparrow: 40,000 Macs Infected by Mysterious M1-native Malware - The Mac Security Blog","isPartOf":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/silver-sparrow-40000-macs-infected-by-mysterious-m1-native-malware\/#primaryimage"},"datePublished":"2021-02-25T07:15:41+00:00","dateModified":"2024-05-20T18:44:04+00:00","description":"A new family of Mac malware dubbed Silver Sparrow (detected by Intego and others as OSX\/Slisp) has apparently infected at least 40,000 Macs, according to","breadcrumb":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/silver-sparrow-40000-macs-infected-by-mysterious-m1-native-malware\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.intego.com\/mac-security-blog\/silver-sparrow-40000-macs-infected-by-mysterious-m1-native-malware\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.intego.com\/mac-security-blog\/silver-sparrow-40000-macs-infected-by-mysterious-m1-native-malware\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.intego.com\/mac-security-blog\/"},{"@type":"ListItem","position":2,"name":"Silver Sparrow: 40,000 Macs Infected by Mysterious M1-native Malware"}]},{"@type":"Article","@id":"https:\/\/www.intego.com\/mac-security-blog\/silver-sparrow-40000-macs-infected-by-mysterious-m1-native-malware\/#article","isPartOf":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/silver-sparrow-40000-macs-infected-by-mysterious-m1-native-malware\/#webpage"},"author":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#\/schema\/person\/dcf592275ba6edde8d20f1e60029c6b1"},"headline":"Silver Sparrow: 40,000 Macs Infected by Mysterious M1-native Malware","datePublished":"2021-02-25T07:15:41+00:00","dateModified":"2024-05-20T18:44:04+00:00","mainEntityOfPage":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/silver-sparrow-40000-macs-infected-by-mysterious-m1-native-malware\/#webpage"},"wordCount":2265,"commentCount":0,"publisher":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#organization"},"image":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/silver-sparrow-40000-macs-infected-by-mysterious-m1-native-malware\/#primaryimage"},"thumbnailUrl":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/02\/evil-OSX-Silver-Sparrow-Slisp-bird-macOS-malware-logo-400x260-1.jpg","keywords":["Apple Silicon","Apple Software Notarization","Malware","Proof of Concept (PoC)"],"articleSection":["Malware"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.intego.com\/mac-security-blog\/silver-sparrow-40000-macs-infected-by-mysterious-m1-native-malware\/#respond"]}]},{"@type":"Person","@id":"https:\/\/www.intego.com\/mac-security-blog\/#\/schema\/person\/dcf592275ba6edde8d20f1e60029c6b1","name":"Joshua Long","image":{"@type":"ImageObject","@id":"https:\/\/www.intego.com\/mac-security-blog\/#personlogo","inLanguage":"en-US","url":"https:\/\/secure.gravatar.com\/avatar\/5ad29f4111ce14911abaa98cbbcdea42?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/5ad29f4111ce14911abaa98cbbcdea42?s=96&d=mm&r=g","caption":"Joshua Long"},"description":"Joshua Long (@theJoshMeister), formerly Intego\u2019s Chief Security Analyst, is a renowned security researcher and writer, and an award-winning public speaker. Josh has a master\u2019s degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple\u00a0ID authentication vulnerability. Josh has conducted cybersecurity research for well over 25 years, which is often featured by major news outlets worldwide. Keep up with Josh via X\/Twitter, LinkedIn, Facebook, Instagram, YouTube, Patreon, Mastodon, the JoshMeister on Security, and more. \u2014","sameAs":["https:\/\/security.thejoshmeister.com","https:\/\/www.facebook.com\/JoshLong","https:\/\/www.instagram.com\/thejoshmeister\/","https:\/\/www.linkedin.com\/in\/thejoshmeister","https:\/\/www.pinterest.com\/thejoshmeister\/","https:\/\/twitter.com\/theJoshMeister","https:\/\/www.youtube.com\/@theJoshMeister"],"url":"https:\/\/www.intego.com\/mac-security-blog\/author\/joshlong\/"}]}},"jetpack_featured_media_url":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/02\/evil-OSX-Silver-Sparrow-Slisp-bird-macOS-malware-logo-400x260-1.jpg","jetpack_publicize_connections":[],"jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p4VAYd-odC","amp_enabled":true,"_links":{"self":[{"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/posts\/93100"}],"collection":[{"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/users\/14"}],"replies":[{"embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/comments?post=93100"}],"version-history":[{"count":25,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/posts\/93100\/revisions"}],"predecessor-version":[{"id":100675,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/posts\/93100\/revisions\/100675"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/media\/93151"}],"wp:attachment":[{"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/media?parent=93100"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/categories?post=93100"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/tags?post=93100"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}