Silver Sparrow

Product Information

As a result, detecting a persistence mechanism in the form of a malicious LaunchAgent can be extremely difficult using EDR alone because it requires you to analyze surrounding activity to make a decision about the installer itself. In other words: you know that the LaunchAgent can be used as a persistence mechanism, but—since you might not be able to see the contents of the LaunchAgent file—you have to rely on context to determine the intent of that LaunchAgent.

Our investigation uncovered two versions of Silver Sparrow malware, which we will refer to as “version 1” and “version 2” throughout this post (see the Indicators of Compromise section for a summary of indicators surrounding these two samples): In Silver Sparrow, we follow two sisters with different mothers who share the same father. The girls are kept away from each other. They grow up in seemingly similar circumstances, but their father's disparate treatment of them results in different lives for the two of them. When their paths finally intersect, it leads to the unraveling of their father's carefully crafted families.

The Intel-only version simply says, “Hello, World!”; and the M1-compatible sample displays the message “You did it!”

Jones herself is a child of a second marriage, although “there is no scandal there,” she clarifies. “My father is not a bigamist. But I also say to people, ‘My father is not a bigamist that I know of. Just as your father is not a bigamist that you know of.’ That’s part of the mystery of fatherhood.” She has two sisters, but they lived “600 miles away”, while Jones grew up with their father. “I’ve always wondered what their lives were like; what they thought of me; what they thought of the family that I grew up in,” Jones says. “I wrote Silver Sparrow as a gift to my sisters.” Why didn't Raleigh have his own lady-friend, why did he hang his whole life on his not-brother and his family? Why did Dana befriend Chaurrise, did she genuinely want to be her friend or was her plan to eventually expose their father? Was Dana just trying to replace Ronalda? Dana's mother knew James was married, beyondhaving the affair and a baby, why did she want to be a second, illegal wife? What did she hope to gain? WHat did James think would come of it? What did James and Dana's mother say to each other after it all happened? How did Dana and Chaurrise avoid each other after it all happened for so long; granted, Atlanta's not a small town, but it seemed they were in a small enclave with many overlapping acquaintances? James left Dana and her mother, it seemed, pretty easily - did he love them, was it really that easy and simple a decision for him? Once fully executed, Silver Sparrow leaves two scripts on an infected disk: /tmp/agent.sh and ~/Library/Application Support/verx_updater/verx.sh. Further Reading Apple M1-native malware has already begun to appearSilver Sparrow is only the second piece of malware to contain code that runs natively on Apple’s new M1 chip. An adware sample reported earlier this week was the first. Native M1 code runs with greater speed and reliability on the new platform than x86_64 code does because the former doesn’t have to be translated before being executed. Many developers of legitimate macOS apps still haven’t completed the process of recompiling their code for the M1. Silver Sparrow’s M1 version suggests its developers are ahead of the curve. While tools like osquery and antimalware controls have excellent visibility into the contents of LaunchAgents, some endpoint detection and response (EDR) tools have a hard time gaining visibility into LaunchAgents. EDR tooling tends to rely on process monitoring that offers a great deal of visibility into the creation—but not necessarily the contents—of a file. For example, an EDR tool might offer you the following shell command: cp /Volumes/TotesLegit.app/Resources/launcher.plist ~/Library/LaunchAgents/launcher.plistThe extent to which that has warped her is palpable as Dana recalls all the times her mum, Gwen, has taken her to spy on – Gwen prefers “surveil” – James’s public family. “We didn’t do damage to anyone but ourselves,” she explains. Still, the knowledge she holds over her half-sister electrifies the novel’s second half, which is narrated by Chaurisse, still unaware of her father’s double life. The girls have by then met at a science fair and become pals, with plain, academically unremarkable Chaurisse eager for some of Dana’s cool to rub off on her. She thinks of Dana as a “silver girl”, popular and smart, likening her to a “Barbie doll dipped in chocolate” when she first sees her. Among the most impressive things about Silver Sparrow is the number of Macs it has infected. Red Canary researchers worked with their counterparts at Malwarebytes, with the latter group finding Silver Sparrow installed on 29,139 macOS endpoints as of Wednesday. That’s a significant achievement.

James 'wife' is named Laverne. Gwen accepts that James found Laverne first...and respects his wife's rights. After all, she has legal documents. ( I was laughing - thinking.... boy, that's all it takes - legal documents, huh.. - to be ok for your husband to have another wife and daughter? "ok, lol"!!! ). Both daughters voices as narrator are equally important to see the 'big picture' of what's going on.

Minding One's Manners Around Newly-Baked Trojans

Silver Sparrow is also unusual because it's only the second known piece of malware capable of targeting Apple's new M1 ARM architecture Macs, and because it hasn't done anything yet. Macs located in 153 different countries are known to be infected, although the highest volumes are found in the United States, United Kingdom, Canada, France, and Germany.