![]() ![]() We’ve dubbed this activity cluster “Silver Sparrow.” The novelty of this downloader arises primarily from the way it uses JavaScript for execution-something we hadn’t previously encountered in other macOS malware-and the emergence of a related binary compiled for Apple’s new M1 ARM64 architecture. However, our investigation almost immediately revealed that this malware, whatever it was, did not exhibit the behaviors that we’ve come to expect from the usual adware that so often targets macOS systems. Other teams may cluster this activity differently based on their assessments.Įarlier this month, Red Canary detection engineers Wes Hurd and Jason Killam came across a strain of macOS malware using a LaunchAgent to establish persistence. A subset of those 29,139 machines were infected by one of the two malicious packages described in this blog, while the majority contained the `._insu` file check and were therefore affected by the overall Silver Sparrow activity cluster as we define it. One file we chose to include in the cluster is the `._insu` file that seems to instruct the malware to remove itself from an endpoint. This distinction may seem small, but it’s important because the Silver Sparrow activity cluster comprises multiple artifacts, including clearly malicious files and unusual or suspicious ones too. UPDATE on : A previous version of this blog stated that, “…Silver Sparrow had infected 29,139 macOS endpoints….” We have updated it to state that the Silver Sparrow activity cluster affected 29,139 macOS endpoints. Minimize downtime with after-hours support.Train continuously for real world situations.Operationalize your Microsoft security stack.Protect critical production Linux and Kubernetes.Protect your users’ email, identities, and SaaS apps.Protect your corporate endpoints and network.Time will tell if Apple decides to side with those who stand against these PUPs, by revoking their entitlements. At the time of writing, Apple is implicitly siding with the PUPs, providing them protection against removal. ![]() With the protection involved in the system extension entitlement, there is no longer any middle ground. The report concludes:Īpple’s days of sitting on the fence are now over. Also troubling is how the report notes that Apple security measures introduced in macOS 10.15 Catalina prevent users from uninstalling some PUPs without disabling System Integrity Protection. The Mac section of the full report contains some disturbing details, such as a description of the bizarre ThiefQuest malware, which fakes a ransomware attack while exfiltrating personal data from your Mac. It’s worth keeping in mind that actual malware-the truly malicious stuff-accounted for just 1.5% of all Mac detections in 2020, with the rest being adware and so-called potentially unwanted programs (PUPs), which is just a nice term for crapware like browser toolbars that clutter your browser, display ads, and track you. Overall malware detections decreased 38% on the Mac, though Mac malware in businesses increased 31%. Malwarebytes Labs has published its 2021 report on malware, reflecting on the state of malware threats in 2020 based on detections in the Malwarebytes apps and services. Malwarebytes Reports on the State of Mac Malware in 2020 ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |