Share this page!

ESET research Profile picture
Twitter logo
2 Mar, 10 tweets, 4 min read
We have received a lot questions about the Silver Sparrow malware for macOS after a publication by @redcanary. #ESETresearch has investigated and found that, far from speculations about nation-state malware, it is likely related to adware and pay-per-install schemes. 1/10
We have first seen Silver Sparrow in the wild early September. Our telemetry (although limited) showed under 50 instances of this threat, spread all around the globe. We have monitored the configuration file and never seen any actual payload delivered. 2/10
The fact that the configuration file is hosted in AWS S3 bucket means there is no way for the attackers to send different configuration to specific targets. S3 only supports serving static content and cannot generate a dynamic response based on IP or any request parameters. 3/10
One characteristic of Silver Sparrow is that it will uninstall itself in the presence of a ~/Library/._insu file. We found other malicious scripts, used in campaigns, that will refuse to install later staged if this file (or .sum) is present. 4/10
We suspect that this file is created after a Mac has been monetized and no longer has value to the gang behind this malware. “insu” may be short for “installation successful”. 5/10
Creating the file on your system prevents infection for the current variant, but would be useless since the path will likely change now that is known publicly. The ecosystem for these campaigns of Mac malware is quite confusing. They are known to install multiple persistent 6/10
components. Our example infection chain relates to
👾Mughthesec (objective-see.com/blog/blog_0x20…)
👾Shlayer (intego.com/mac-security-b…)
👾Tarmac (blog.confiant.com/osx-shlayer-ne…) 7/10
It’s also interesting to note that everything in the campaign described is hosted in AWS. They use CloudFront for CDN, S3 for storage, and API Gateway for dynamic content. PPI campaigns has been a thing on Mac for many years. 8/10
Plain text IoCs:
1807eb8c3719c9faa0210d8a5df2068d2c89d90d
f59602e043f9788b5924f8e1c225483f934bf5d8
8abb0defedb0eddb48a14a2c2721c53c8020ad00
8dbc48768edd795b1446e04e5cc2fd9dbf196410
6dcd11b70c535dca09208aaf8168d962a9daa13d
9b0fa382642c721b7bab4891b31d640d9a6e4b33 9/10
PDF of event chain: welivesecurity.com/wp-content/upl… #ESETresearch 10/10

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with ESET research

ESET research Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @ESETresearch

ESET research Profile picture
16 Nov 20
#ESETresearch discovered a supply-chain attack performed by #Lazarus APT group against South Korean 🇰🇷 internet users. @cherepanov74 @pkalnai welivesecurity.com/2020/11/16/laz… 1/7
WIZVERA VeraPort software is often used on internet banking and government websites in 🇰🇷 South Korea. The purpose of this software is to install additional security software required by some of these websites. 2/7
The attackers abused a combination of WIZVERA VeraPort software and compromised South Korean websites with VeraPort support, to deploy Lazarus malware. 3/7
Read 7 tweets
ESET research Profile picture
18 Jun 20
#ESETresearch unearths modus operandi of the elusive #InvisiMole group, digging up their arsenal used to stay invisible. Our investigation also shows previously unknown ties between InvisiMole and #Gamaredon groups welivesecurity.com/2020/06/18/dig… @cherepanov74 @zuzana_hromcova 1/9
#InvisiMole #APT group resurfaced in targeted attacks against high-profile organizations in Eastern Europe, targeting military sector and diplomatic missions. We previously documented their two feature-rich backdoors RC2CL and RC2FM; now we reveal the rest of their TTPs. 2/9
We discovered that the most interesting targets of #Gamaredon are upgraded to far stealthier #InvisiMole spyware, with Gamaredon’s .NET downloader delivering InvisiMole’s TCP downloader. This cooperation allows InvisiMole to devise creative ways to operate under the radar. 3/9
Read 9 tweets
ESET research Profile picture
17 Jun 20
#ESETresearch analyzed operation #Interception, a new espionage campaign targeting aerospace & defense companies in Europe and the Middle East. Initial contact was made via #LinkedIn, where attackers approached targets with fake job offers @jiboutin welivesecurity.com/2020/06/17/ope… 1/5
The attackers sent a password protected RAR archive containing a LNK file responsible for showing a decoy PDF and downloading additional malware. In some cases, this archive was sent directly through #LinkedIn instant messenger. #ESETresearch 2/5
While the victim was being deceived by the decoy PDF, a scheduled task was created, launching WMIC to execute a script embedded in a remote XSL file. This enabled the attackers to get their initial foothold inside the targeted company and gain persistence on the computer. 3/5
Read 5 tweets
ESET research Profile picture
7 May 20
#ESETresearch stumbled upon strange samples which use the packer we described in publications on the #Winnti Group. The payload in these samples is an implant attributed to Equation. It is known as PeddleCheap according to the project names seen in the Shadow Brokers leaks. 1/8
Those samples were first seen in 2017, one year before it was used in the compromised games in 2018 (welivesecurity.com/2019/03/11/gam…). They are 8b8d2eb8de66890f4c0950ccb3fff95b0f42b9e1 and b48beb5e49976294287b1d6910d7445db83e5cf2. #ESETresearch @marc_etienne_ 2/8
These particular executables do 3 things: launch the legitimate Adobe Flash installer, copy itself to %TEMP%\micrit.exe and start PeddleCheap. #ESETresearch @marc_etienne_ 3/8
Read 8 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @ESETresearch has new unrolls!

Check out other threads from @ESETresearch!

Read all threads by @ESETresearch