Safety company: mysterioser mac-trojan “silver sparrow” probably adware

Safety company: Mysterioser Mac-Trojan'silver sparrow' wohl adware'silver sparrow' wohl adware

At the mac schadling "silver sparrow" if it is simply adware: the software is all likely related to adware and geared pay-per-install schemes, where a provider pays for the installation of unwanted software, as the security company eset research reports according to its own analysis. The tool "far away" from speculation, it is about malware state organizations.

Silver sparrow without shadroutine

Eset has seen silver sparrow first in the wild last september in the wild and round "50 instances" observed, which spread around the globe. Also eset could never observe the delivery of a payload. Although silver sparrow contacts after installation by the user regularly a control server, but it will not be charged – accordingly, so far unclear the purpose of the malware actually serves.

Since the configuration file is hosted in an aws s3 bucket, the attacker can only deliver a uniform payload and no different configurations based on specific parameters for specific goals, learn the security researchers.

After esets analysis, others have used in adware campaigns "bosy scripts" the file ~ / library /._insu uses as a signal and then no further routines lasted. Silver sparrow seems to be the system itself, if the file exists, users can only recognize that they had probably installed the trojan. You suspect that the file is created after "a mac was monetized", it’s been with eset – he’s no value for the attackers behind the malware.

Distribution unknown

The distribution channel of silver sparrow has not been documented so far, it is believed that the shadling like other adware also offers manipulated search results and advertising banners suddenly to download and lures the user to the installation. In order not to make the safety functions of the operating system, the shadling was signed with an apple developer certificate – the certificate has accessed apple to block installation on further macs.