February 23, 2021

Silver Sparrow Dropper Flies Through macOS Detection; Free Script Available for MSPs

By Dan Garcia

Following the FireEye breach in December, Datto released a free FireEye Countermeasure Scanner for managed service providers (MSPs) to detect the stolen tools. As a threat emerged this week in the form of a new dropper called Silver Sparrow, the Datto RMM engineering team sprung into action and has developed a free script for MSPs that detects the presence of this dropper.

A dropper is used in an attack to establish persistence on a device and deliver a payload, the component that causes harm to the system. From this analysis, there are four interesting details about this attack that should raise the profile of this activity as well as your guard to protect your small and medium business (SMB) clients.

Targeting the Apple M1 Architecture

Launched in November, the Apple M1 architecture marked the departure from the Intel-based processors that Apple has relied on for desktop and laptop product lines. Up to this point in time, there hasn’t been a variant that has targeted the new ARM64 based architecture from Apple. The teams at Red Canary and Malwarebytes who made the discovery uncovered two variants of Silver Sparrow. While the first variant was Intel x86_64 only, the second sample included both x86_64 and ARM64 architectures in the PKG. This should be a clear signal to the MSP community that actors are continuing to target macOS and evolving their techniques.

Use of the macOS Installer Javascript API

Existing malware techniques leverage preinstall and postinstall scripts as part of the installer which detection engines can identify the process execution patterns to take action. Silver Sparrow leverages the trusted macOS Installer process to execute malicious JavaScript commands buried in an XML file, included in the package. This provides the malicious code additional cover from existing detection capabilities, and those that make assumptions on trusted operating system processes, thus making this challenging for many next-gen engines to identify as malicious. This is a clear move to look more like a normal or trusted package install and remove a detection opportunity for defenders.

The Missing Payload

Through the analysis conducted, neither team had observed the most impactful part of any dropper: the payload. Payloads are what we generally hear about in the news and in our response efforts (these include RYUK and Trickbot) have consequential results. The Malwarebytes team indicates that of the hosts that the dropper was identified on, they all seem to lack the payload. Furthermore, within the execution scripts, there were coded messages using the standard “Hello World”, which lends itself to the idea that Silver Sparrow is still under development by an actor. The evidence strongly suggests that this dropper is in its early days and that we will likely hear more about Silver Sparrow in the future.

Self Destruction

We can all appreciate someone cleaning up after themselves, but the guest you want stopping by and cleaning up any traces isn’t Silver Sparrow. While the dropper is meant to be persistent, there is a kill switch of sorts built into Silver Sparrow to force the removal of the components with persistent mechanisms installed. This is accomplished through monitoring for the presence of a file, ~/Library/._insu. This technique allows its operators, if desired, to drop the payload and exit from the system without a trace.

Detection and Prevention of Silver Sparrow

As the news of this activity broke, the Datto RMM engineering team knew that our MSP partners and the greater IT community would need support given the challenges that many endpoint detection and response (EDR) products have in mitigating this threat. Today, the Datto RMM engineering team has released the Silver Sparrow Detection and Prevention script within the product for immediate use and availability on the Datto RMM ComStore for Datto RMM partners and on GitHub for the greater community to take advantage of within other RMM platforms. The new script not only helps to detect the current variant but places the self-destruct file to help remove the presence of Silver Sparrow, preventing a payload from being delivered. The script is based on the indicators in the Red Canary report, which may evolve, therefore community feedback is welcomed to support continuous improvement.

The Information Security and Datto RMM teams at Datto are committed to the security of our MSP partners and their SMBs and will continue to develop and provide tools to improve security at scale. The path towards cyber resilience takes continuous improvement, a joint responsibility we accept in our goal to help protect the channel.

Suggested Next Reads

Elevate Autotask Tickets With IT Glue Checklists

Streamline IT support with Autotask checklists. Empower Level 1 technicians to handle repetitive tickets efficiently, reducing escalations and improving service quality.