Hunters’ Proposed TTPs:
Apple revoked the certificates of the developer accounts used to sign the packages, as a way to prevent further infections, and Amazon reacted by shutting down their internal domains so the C2 activity won’t work as well. However, we still recommend checking all MacOS machines for potential infection with the malware.
Hunters developed some TTPs to enable detection of Silver Sparrow, as described below. We recommend security teams to adopt the TTPs below, in addition to the IOCs used to block this execution by a variety of security products, as it can help spot attackers using the same techniques.
These TTPs were added to the Hunters’ XDR platform and all Hunters’ customer environments were reviewed for the presence of Silver Sparrow IOCs and the TTPs described below.
- Plist, not your Buddy – Silver Sparrow creates a LaunchAgent by a PlistBuddy process, the first indicator of malicious activity. We initiated a research on PlistBuddy and how to produce a TTP from it.
- We queried raw data looking for PlistBuddy commands executed. As you can see in the picture below, there are large amounts of legitimate PlistBuddy commands.