Silver Sparrow attack on over 30000 Macs; here is what we know so far

Gone are the days when Apple devices were considered the safest option. The evolution in technology has not only fueled innovation but has also contributed to the growth of methods that enable easy hacking. And this evolution has become pertinent with over 30000 Apple Macs getting infected by the Silver Sparrow Malware.

This happens at a time when Apple is busy publicising its M1 Macs being safer than Intel. The malware was discovered by researchers from Red canary, a security firm, who found the latest M1 chips on the Macs running unknown commands. According to them, Silver Sparrow uses the macOS installer Javascript API to execute commands. Though the first malware for M1 Macs ‘GoSearch22’ was reported in December 2020- a Safari browser extension that used to display ads, Silver Sparrow is the second and the latest malware threat to be reported.

What is Silver Sparrow?

Silver Sparrow is being perceived as a malware program, though the exact nature remains unclear. There are two versions that target MacOS, the one on Intel-based Macs and the other on the M1-based Macs.

According to researchers, Silver Sparrow exploits JavaScript to run commands on machines, which is surprising as JavaScript is uncommon on macOS. “Though we haven’t observed it delivering malicious payloads yet, the forward-looking M1 chip compatibility, operational maturity, global reach, and relatively high infection rate can pose a serious threat as it’s positioned to deliver a potentially harmful payload at a moment’s notice,” they further added in a statement.

They also said that they do not have an idea about how it spreads but have collected some important information like that of its infrastructure which is hosted on Amazon Web Services S3. Some callback domains were being hosted on Akami’s CDN platform and they think it might be sophisticated.

This implies that the adversary likely understands that the hosting choice allows them to blend in with the normal overhead of cloud infrastructure traffic. A majority of companies cannot afford to block access to resources in AWS and Akamai. Using AWS infrastructure supports our assessment that this is an operationally mature adversary,” they further said.

The malware has become of serious concern as it runs on Apple’s latest M1 chips. However, that doesn’t necessarily mean that only M1 macs are being targeted, the Intel-ones can also be at equal risk of infection.

What does it do?

Silver Sparrows makes use of the “” command for execution. Using the same an attacker can provide the full path to a process for execution and the arguments as well. The malware then forces the installer to generate multiple bash processes to achieve the main objective.


Functions like appendLine, appendLinex, and appendLiney are used by the Malware to extend bash commands with arguments that write input to files on disk. It writes each of its components line by line using JavaScript commands.

This enables hackers to quickly modify the code and avoid simple static antivirus signatures by generating a dynamic script rather than using the static one.


Upon execution it leaves back two scripts on the infected disk, namely “/tmp/” and “~/Library/Application Support/verx_updater/” The former executes immediately at the end of the installation and contacts the C2 to register the infection, while the latter executes periodically by using a persistent Launch Agent to contact a remote host for information on payloads to execute.

Apple’s reaction to Silver Sparrow’s flight

The moment Silver Sparrow was reported Apple overrode the developer certificates which enable the malware to be installed. This blocked the malware from making any more installations.

Apple Mac users remain safe from malware attacks as any software downloaded from outside the Mac App Store is required to be notarized. However, in this case, Silver Sparrow writers were able to obtain a developer certificate and get through the notarization sequence without being blocked.

The final word

It still remains a mystery as to what the end version of this malware will do. Researchers are still guessing if it has already been delivered or removed, or if it has a future timeline for distribution.

If you know about any latest progress that we missed out on, make sure to inform us through your comments.